Five Smart Ways To Increase Retention Among Cybersecurity Teams

by Karla Reffold

Founder and International MD of BeecherMadden, MD at Nicoll Curtin, Cyber Security Awards Judge, Industry Speaker.

The well-reported cybersecurity skills shortage has worsened and now stands at almost 2.9 million. With too few cybersecurity professionals for the roles required, attracting talent is a key issue. But companies with mature cybersecurity teams are reporting another issue: Retaining their employees is a big challenge. Preliminary results of our salary survey, due out in 2019, tells us that employees achieve a bigger salary increase when moving jobs, and the 2018 report from (ISC)² shows that only 15% of employees have no intention of leaving their current employer.

Ensuring that salary levels are set to attract the best isn’t the only solution to your retention problem. These strategies can also help.

1. Allow project work outside of the day job.

Based on my experience, employees who have a real passion for the job and work on projects in their spare time are the most sought-after. They can demonstrate commitment to their work, and that shows through in an interview. These are the employees who are going to find a way to fix the problem because that’s what they love. They are going to innovate and find better solutions.

Helping them feed that passion benefits everyone. The business gets employees with constantly developing skills who may even find a solution with a business benefit. What we hear from these select few, time and time again, is that they don’t want to move jobs because they don’t think another employer will give them time for these projects. They are happy and motivated.

Employers can make it explicit in a job offer that a key benefit is that a percentage of their working time can be dedicated to personal security projects. It can also be used to attract candidates. Telling a penetration tester they aren't just going to be trying to break into a company, but will also get to try and break this new smart device is exciting and different. It’s my No. 1 tip to retain your technical employees.

2. Make sure cybersecurity is taken seriously by the business.

The best cybersecurity employees are really engaged with the industry and they look externally to find better solutions or to spot trends. If the trend they spot is that their organization is behind or not taking cybersecurity seriously, they will be tempted to move on. These candidates want to effect real change and do a good job. If they are prevented from doing this due to budget constraints, or a leadership team that hasn’t committed to cybersecurity, they will move to an organization where this exists.

To retain your employees, your business leadership need to engage with the security team. Recognition for successes can go a long way. Employees need to get support if business areas aren't cooperating with implementing security processes. The security leadership can also communicate better with the team on what the board is interested in, how budgets were agreed and highlight the successes they have had.

3. Demonstrate a route for career progression.

Respondents have listed career progression as the No. 1 reason for changing jobs almost every year in the six years I have been producing salary reports. It’s more important to candidates than a salary increase. Yet many candidates do not see how they can move up in their current organization. If they are provided with an opportunity to learn new skills and develop their career, if they can see the path, they will stay with your organization.

Regular one-to-ones explaining the opportunities that exist and examples of others who have progressed are both important tools to utilize. Make it obvious what skills (technical and non-technical) they need to obtain to move into the next role. If possible, offer funding and time off for further study to support continuous learning and future advancement. Sometimes, allowing employees the time to do that, can also have an impact on retention as they may be concerned they won't achieve that if they move roles externally.

4. Strong leadership is important.

Part of providing good career progression includes have a strong leader. Having a boss you enjoy working for resonates with everyone, not just those in cybersecurity. One of the nuances of cybersecurity is that some have risen to management very quickly, often as a result of being the only person available to promote. Providing strong leadership to your team really helps employees feel connected to the vision of the business and builds a connection for them in their role.

Having a well-respected cybersecurity leader will help you retain staff, and also attract new ones. This goes beyond gaining good leadership skills. Give your employees time, so that they can learn from you. A cybersecurity leader who is active on the speaking circuit or is seen in the industry as a thought leader will make your employees proud to be a part of your team. 

5. Wait for employees to become fatigued with moving.

This isn’t a quick fix, but it will come. Candidates get approached about jobs on a regular basis — and with 2.9 million roles going unfilled, this isn’t going to change. The most sought-after might be getting approached five or six times a day, every day. After a while, this becomes boring and they stop listening. Employers will prioritize candidates with more longevity in their roles and moving jobs then becomes harder. As salary increases stabilize, moving becomes less attractive.

The cybersecurity skills shortage isn’t going away, but there are some key steps organizations can take to retain these hard-to-find employees and improve employee engagement along the way.

Cyberbit and Cloud Range Cyber Announce the first Cyber Range “As a Service” in North America

Simulated training for cybersecurity teams, powered by the leading cyber range platform, will now be available to thousands of cybersecurity professionals in North America through service providers, VARs, resellers and distributors in the IT channel

Ra’anana, Israel and Nashville, TN – Sept. 27, 2018Cyberbit Ltd. (Cyberbit), a world leading provider of cybersecurity simulation and IT/OT detection and response platforms, and Cloud Range Cyber LLC, (Cloud Range) a pioneer in cybersecurity simulation training, today announced the launch of  Cloud Range’s  Cyber Attack Simulation Training Platform as a Service (CASTaaS) – the first cyber range offering available through the IT channel in North America. With the new Cloud Range service, cybersecurity technology manufacturers, managed security service providers (MSSPs), value-added resellers (VARs), and technology distributors can offer their customers advanced, simulated cybersecurity training powered by the Cyberbit Range platform – the world’s leading cyber simulation platform.

Cloud Range provides the first consumption-based cyber range for enterprises and MSSPs. Organizations can now take advantage of the most advanced cybersecurity training available while bypassing the need to invest in cyber range infrastructure, technology, trainers and administrators, thereby reducing capital expenditures.

Cloud Range selected Cyberbit based on the company’s unique ability to provide hyper-realistic simulation. The Cyberbit Range platform can emulate each customer’s specific network environment by using industry leading cybersecurity technologies including IBM QRadar, Micro Focus ArcSight, Splunk, Palo Alto Networks, and Checkpoint. Customers can train security teams, assess candidates, onboard new hires, and improve cybersecurity team skills on a customizable virtual network environment that mirrors their own. Cloud Range, powered by Cyberbit, offers a complete training platform with unlimited simulated attack scenarios with sessions that are recorded for playback and assessment.

“We are excited to partner with an industry leader like Cyberbit,” said Debbie Gordon, CEO of Cloud Range Cyber LLC. “There is so much demand for cybersecurity training beyond the existing industry training and certifications. Companies now have the ability to be confident that their teams are truly prepared to defend against cyber-attacks by training and upskilling cybersecurity staff on the Cloud Range platform. Additionally, Cloud Range will provide VARs, MSSPs, and distributors the ability to add a unique and differentiated offering to their portfolio while enabling revenue growth of cybersecurity technologies. Ultimately, it will allow more organizations to address the increasing skills shortage and respond to attacks that are growing in volume and complexity.”

"Our partners in the channel continue to be affected by the growing shortage of skilled cyber security professionals,” said Alex Ryals, vice president, Security Solutions, at Tech Data. “This type of hyper-realistic SOC analyst training gives customers the ability to make the necessary investments in security tools, knowing that they can hire and train SOC analysts quickly and effectively on a platform that mirrors their own technology environment."

Cloud Range training can be conducted either remotely or at a customer's site and is administered by Cloud Range instructors. Training courses will range from introductory to advanced, covering the most important security scenarios including incident response, forensics, industrial control system (ICS) attacks, as well as custom scenario capabilities.

“This innovative approach allows companies to bypass the need to invest in cyber range infrastructure and technology, while still giving them the experience and freeing their financial resources to focus on what they do best,” said Adi Dar, CEO of Cyberbit. “Cloud Range’s flexible remote capabilities allow security operations center (SOC) analysts to take part in sessions from where ever they are, minimizing travel and downtime costs. Our goal is for every cybersecurity professional in North America to be able to enjoy cyber range training, and this service will make it possible.”

To become a Cloud Range Partner and learn more about the Cloud Range training offerings,  please visit the Cloud Range Website or email

To learn more about the Cyberbit Range platform, please visit the Cyberbit Range Web Page or email

About Cloud Range
Cloud Range is a pioneer in cybersecurity simulation training, providing the first Cyber Attack Simulation Training Platform as a Service (CASTaaS), available to customers exclusively through cybersecurity Technology Manufacturers, Managed Security Service Providers (MSSPs), Value-Added Resellers (VARs), and Technology Distributors. The Cloud Range training platform can be utilized on-premises at a customer’s site or virtually, led by Cloud Range’s professional instructors. The platform can emulate each customer’s specific network environment, using industry leading cybersecurity technologies that are built in to the platform. Customers can train security teams, assess candidates, onboard new hires, and improve cybersecurity team skills within a customizable, virtual network environment that mirrors their own.  Cloud Range training enables security professionals the ability to “Prepare from Anywhere”™.

Cloud Range Contacts:

Sydney Pugliares, Director of Marketing and Communications, Cloud Range Cyber

Investor Relations

About Cyberbit

Cyberbit provides a consolidated detection and response platform that protects an organization’s entire attack surface across IT, OT and IoT networks. Cyberbit products have been forged in the toughest environments on the globe and include: endpoint detection and response powered by behavioral analysis, security automation, orchestration and response (SOAR), ICS/SCADA security (OT security), and the world’s leading cyber range for simulated cyber training.   Since founded in mid-2015 Cyberbit’s products were rapidly adopted by enterprises, governments, academic institutions and MSSPs around the world. Cyberbit is a subsidiary of Elbit Systems (NASDAQ: ESLT) and has offices in Israel, the US, Europe, and Asia.

Follow Cyberbit on Facebook, LinkedIn and Twitter (@CYBERBITHQ).

Cyberbit Contacts:

Sharon Rosenman, VP Marketing, Cyberbit

Dana Tal-Noyman

Manager Corporate Communications & Digital, Elbit Systems

Tel: 972-77-298809   

Cell: 972-54-9998809

(ISC)² Study Reveals How Companies Overcome Cybersecurity Hiring Challenges

Clearwater, FL, September 20, 2018

70% of companies with adequately-staffed cybersecurity departments train and promote from within, and place a priority on hiring professionals with cybersecurity certifications when recruiting externally

(ISC)² – the world’s largest nonprofit association of certified cybersecurity professionals – today announced the findings of its Building a Resilient Cybersecurity Culture study, in which it found that a strong security-focused culture and adherence to best practices helps companies attract and retain cybersecurity talent. (ISC)² commissioned the study to better understand how successful organizations are overcoming the shortage of skilled cybersecurity talent in a demand-heavy, competitive recruitment environment.

“The growing cybersecurity workforce gap has received a lot of media attention. What we haven’t heard as much about is how some companies are actually succeeding in building their security teams even in the face of this competition for talent. Our empirical analysis shows the demonstrable effect cybersecurity leaders can achieve by fostering a strong cybersecurity culture,” said (ISC)² Director of Cybersecurity Advocacy for North America John McCumber. “The human factors of information security are most effectively accessed, developed, and employed by organizations with this critical professional leadership. This new report provides a window into how this gap can be leveraged by individuals and organizations alike to dramatically improve the protection and management of critical information assets.”

The data is based on a survey of 250 U.S. cybersecurity professionals with oversight of hiring and managing security departments, who say their organization does an adequate job of ensuring it has enough cybersecurity expertise on staff. Key insights from the study include:

  • 97% of respondents indicated that their entire executive management team understands the importance of strong security practices and reinforces those messages with staff

  • When asked which tactics were used to successfully build a strong cyber team, 70% said they hire certified security professionals, 70% train and promote from within, and 52% attribute their success to drafting clear job descriptions

  • 86% said their company employs a CISO

    • Of these, 57% of the CISOs report directly to either the CEO or the board of directors, indicating the level of importance associated with the position

  • 58% of these companies cited having a strong risk management policy as the #1 reason they are confident their capabilities are adequate to protect their enterprise

  • About half (51%) of these companies say they employ at least two dedicated cybersecurity staff, which they believe is critical to cybersecurity readiness

  • 79% of companies said their cybersecurity staff’s average tenure is at least three years

  • 50% have been able to hire talent from the government sector

    • 67% said salary was the biggest draw, while 60% cited the opportunity to work with a strong leadership team, and 59% believe the opportunity to work for a mission-based organization helps win over recruits from the public sector

For more insights, the full study can be downloaded at


Findings are based on a blind survey of 250 cybersecurity professionals within the United States

conducted by Market Cube, LLC, on behalf of (ISC)² in August 2018.

SANS Survey Highlights – 2018 Security Operations Center Survey

David Weisskopf | Aug 13, 2018 from Cyberbit Blog

The 2018 SANS survey just came out and is chock full of important industry trends and practices that every SOC manager needs to know. Since security operations professionals are super busy, we have provided this quick summary of important highlights to help get you up to speed quickly.

 2018 SANS Survey Highlights:

  • 1/2 of SOCs still not using metrics

  • SOC & NOC lack coordination

  • Asset discovery & inventory tools disappoint

  • Meaningful event coordination still primarily manual

  • 1/2 of SOCs not providing organizational security

  • 39% of SOCs have centralized architecture

  • Leading barriers to SOC performance

    • skill shortage

    • lack of automation and orchestration

    • too many unintegrated tools

SANS Survey: Biggest SOC Challenge is lack of skilled staff

According to the SANS survey, slightly over 60% of respondents cited lack of skilled staff as their largest obstacle to success. The lack of skilled staff is a multifaceted problem that significantly impacts the effectiveness of a company’s SOC. This means enterprises must focus on both onboarding new entry-level team members, constantly sharpening the skills of more experienced staff, and retaining these highly sought-after professionals. Organizations will have to get creative about how to meet this challenge, including; outsourcing to MSSPs, training on a cyber range, developing training programs for new recruits and re-training programs for experienced professionals wishing to make a career change. Any or all of these solutions can help a SOC be better prepared to face the mounting number of alerts and ensure when a serious threat develops, they have experienced professionals ready to operate the event.

What Challenges are holding back the full integration and utilization of a centralized SOC service model that can serve the entire organization? 

SOC & NOC Lack Integration and Coordination:

The survey demonstrates SOC/NOC integration is a point of substantial frustration for many SOC managers and analysts. The SANS survey found that 89.46% of responders do not have well-informed integrated SOC and NOCs. This is a big problem because it leads to a large disconnect between cybersecurity teams and automated programs. This lack of integration also means that your SOC effectiveness is not being maximized. Also, the lack of integration between the SOC and NOC means that some attacks may not be detected by the SOC and thus penetrate the network undetected and unhindered. This is easily solved by investing in more integrated systems that create a highly integrated system that is efficiently able to detect more attacks on the network.

Lack of Automation and Orchestration:

The SANS survey found that greater than 50% of organizations are swamped by the multitude of alerts that many of which analysts are unable to attend to. When threatened by complex and persistent attacks from multiple origins and are required to respond within minutes this creates a major problem for SOC effectiveness. This overflow of attacks and their resulting alerts if detected by the SOC are so great that it overwhelms the SOC analysts’ capacity to handle alerts manually, this is exacerbated even further when considering the lack of sufficiently skilled analysts. The solution to this dire problem is introducing an automated SOC that will be able to determine the highest-level threats and present only those which require the attention of an analyst to contain and neutralize the attack. Automation of SOC functions will increase the number of alerts and actual threats handled, decrease the time from detection-containment-eradication, and decrease the probability an attack will escape the attention of the SOC team.

Too Many of Unintegrated Tools:

The SANS survey found that 47.7% of SOC managers, the lack of integrated tools used to build SOC systems make it hard to create an integrated SOC system that is able to keep up with vulnerabilities and threats. The sheer quantity of tools and functions are enough to overwhelm any analyst. Additionally, newly hired analysts may only be trained how to use some of the many tools used in their new employer’s SOC, thus limiting their effectiveness and ability to execute their jobs. The solution to this problem is building a centralized, integrated tool set to streamline the analyst’s job and make each analyst more efficient and effective at monitoring and eliminating threats.


2018 SANS Survey Takeaways

The ever-increasing influx of new threats and dissolving of the network perimeter means that SOC managers and staff will continue to be pushed to their limits and look for technologies to increase efficiency.  Today there simply are not enough veteran analysts to completely staff every company’s SOC. The solution to challenges highlighted by the SANS survey lies in constant, realistic training of all levels of SOC professionals and implementing the right combination of automation and orchestration technologies into one coherent framework.  This is the best approach for SOC managers to stay maximize the effectiveness of every member of your SOC team and stay ahead of threats.

Read the entire report here.

Cloud Range's partner, Cyberbit, recognized on the 2018 CRN Emerging Vendors List


Ra’anana, Israel, July 23, 2018 – Cyberbit Ltd., a world leading provider of cybersecurity simulation and IT/OT detection and response platforms, announced today that CRN®, a brand of The Channel Company, has named Cyberbit to its 2018 Emerging Vendors List in the Security category. This list recognizes recently founded, up-and-coming technology suppliers who are shaping the future of the IT channel through unique technological innovations. The list is divided into seven categories: Cloud, Data Center, Security, Big Data, Unified Communications, Internet of Things (IoT) and Storage. In addition to celebrating these notable companies, the Emerging Vendors list serves as a valuable resource for solution providers looking to expand their portfolios with cutting-edge technology.

Cyberbit products address some of the most painful and unattended cybersecurity challenges: the cybersecurity skill shortage, the overwhelming increase in security operation workload and complexity, the increased threat on critical infrastructure, and the convergence of IT, OT and IoT attack surfaces.  Cyberbit products include: a Cyber Range, Security Orchestration, Automation and Response (SOAR), Industrial Control Systems (ICS) security, and Endpoint Detection and Response (EDR). Since its founding in 2015, Cyberbit has grown significantly and achieved record business results, most recently announcing a US $30 million investment from Claridge Israel.

With its Cyber Range Cyberbit has pioneered the approach of using hyper-realistic simulation to train and assess cybersecurity experts. This approach is now widely adopted by the industry as a means to cope with the ever-growing global cybersecurity skill shortage. Over the past year Cyberbit has launched more than 30 cyber range classes and opened dozens of cyber ranges with Managed Security Service Providers (MSSP), universities and enterprises worldwide. Together with it’s SOAR, IT and OT security products Cyberbit is the only company to provide seamless detection and response across the entire, converged IT/OT attack surface, dramatically improving detection of IT to OT attacks and increasing security operations efficiency.

“The technology suppliers on CRN’s 2018 Emerging Vendors list are creating a bright future for the IT channel, aggressively developing products to meet complex IT market demands, while positively impacting the bottom line of solution providers,” said Bob Skelley, CEO, The Channel Company. “The array of leading-edge products delivered by these organizations will have a lasting impact on the channel for years to come.”

“It is an honor to be recognized as one of the CRN 2018 Emerging Vendors in Security,” said Adi Dar, CEO of Cyberbit. “With the record shortage of security personnel, coupled with increased threat complexity and volume, security leaders are looking to improve their teams’ skill level and efficiency.  Security managers aim to consolidate technologies rather than add point solutions that solve niche problems. Our portfolio is uniquely positioned to help security operations do more, with less, reducing the overwhelming amount of alerts, accelerating incident response, consolidating security technologies and seamlessly managing multi-vector IT to OT attacks. On the heels of our recent funding announcement, this recognition by CRN exemplifies our commitment to providing customers with the best of breed products to help them stay ahead of new threats.”

The complete Emerging Vendors list will be featured online at

Every Cyberdefender Must be Ready for Battle

 Cyberbit Blog | Jan 18, 2018

When we think of soldiers we typically conjure an image of dedicated, well-trained and battle-tested young men and women who bravely do the elite work of defending their nations. 15 years ago, I aspired to become one such defender and enlisted in an elite combat unit without having any idea what I had gotten myself into.

We underwent 12 months of grueling training; boot camp, advanced training, and additional specialty combat training. Each day was worse than the last. It was the most physically demanding and emotionally draining experience of my life. But when we finally completed the course and were sent into combat, I quickly understood and appreciated why our training had been so challenging and extensive.

The more difficult the training the better off you are when facing real combat situations. Pushing soldiers to their mental and physical limits, and beyond, repeatedly, is the only way to truly prepare them for what’s ahead. Each of us learned what we were capable of as individuals and as a team. I think every soldier who has ever been in combat will agree with me that they wouldn’t want to set foot on a battlefield with anything less than the excruciating training programs all elite combat units go through.

So why doesn’t a cyberdefender go through similar training?

Every Seat in the SOC Must be Filled by an Experienced Cyberdefender

Infantry soldiers like us are not going to be the front-line fighters in the next wars. The next wars will be fought and won, by our cyberdefenders from seats inside a security operations center (SOC). Just like infantry soldiers, they must be ready for battle. Today, most or all training a cyberdefender gets will be in a traditional classroom with tabletop exercises and multiple-choice exams. They will be asked to familiarize themselves with incident response playbooks, but most will never get a chance to put those playbooks into action and experience what it’s really like to face down formidable cyber combatants attacking a real network. Every CISSP knows what a ransomware attack is, but do they know how to protect against one? Do they have any experience operating under the immense pressure, confusion and complexity of a real attack?

The answer is too often ‘no’ and this must change.

How to Prepare a Cyberdefender for Battle

The idea of ‘on-the-job’ training for cyberdefenders is unacceptable. It is reckless to put inexperienced people into the SOC and hope that when the big one hits they will magically remember everything they learned in the classroom, make excellent decisions and execute a perfect response. The new wave of cyberdefenders needs to gain as much real experience as possible in the training stage. We can learn from the military’s vast experience preparing soldiers and pilots for battle to develop training programs that will give cyberdefenders the same intense, realistic preparation. The use of simulation platforms can give trainees the experience they need to operate in complex, high-pressure situations and allow them to experience a wide variety of attack scenarios so they will be ready for anything. Only when a new cyberdefender has successfully operated numerous ransomware, DDoS, data leak, etc. attacks can they be considered ready to join the SOC team. A new cyberdefender should have so much simulation experience that by the time they face the real deal, they will make it look easy.

Ongoing Cyberdefender Training Regimen

Training doesn’t stop after graduation. It remains a continuous part of every soldier’s routine throughout their career. Every few months, my team was pulled off the line for a few days of rest followed by a few weeks of training. The training was not like anything we had ever been through before. Different officers, from other units, would be brought in to challenge us with new combat scenarios and teach us new tactics. This allowed us to learn from other units’ experience and keep us on our toes. The same approach needs to be taken with the cyberdefenders. All cyberdefenders must have regularly scheduled training as an integral part of their workload. The cybersecurity training scenarios need to be refreshed from training to training and include all of the latest emerging threats. The attackers are constantly finding new vulnerabilities, we need to constantly practice new ways to defend.

Don’t Be an Easy Target

We know sophisticated, aggressive hackers are constantly working on finding and exploiting new vulnerabilities. We need to be working that much harder on the defenses. The hackers will never give up, but if your organization mounts a formidable defense, they may choose and easier victim. Sometimes being harder to hack then the next guy, is all you need to keep your environment safe. Be the team that is more prepared and assure that your cybersecurity team are elite cyberdefenders, ready for the battles ahead.

Sam Friedman is a Cybersecurity Expert and Regional Director at Cyberbit.