Growing the TeamSecurity Leaders on the Challenge of Developing Skills In-House
"We can no longer ignore the risks stemming from the supplier end," says Moretti, also an (ISC)2 board member. "Earlier, we would have just concentrated on the main service providers and built relationships with them, but now our process is to manage operational risk indicators across all vendors."
Moretti's challenge is common among security and risk leaders worldwide. It isn't a matter of filling roles, but rather growing them. IT security jobs are more specialized, and employers demand skills that mirror the types of threats, breaches, regulations and risks these organizations face.
'Can't Go on Experience Alone'
So, how do leaders help their staff evolve and acquire these skill sets in demand? In part, they succeed by focusing more on getting universal players to come in and play multiple roles. Example: Brett Wahlin, the newly-appointed chief security officer at Sony Corp. As Wahlin builds his IT security team, he is largely depending on people who have cross-functional expertise and broad experience.
"Team growth and skill development largely depend on how individuals blend with different groups and add value," he says. "It's important for security engineers and architects to understand how we deal with privacy and compliance issues before they come in and handle vendor and in-house products and systems."
As security becomes a key driver for organizations, new roles, increased legal implications and accountabilities push leaders to adopt new methods of developing their teams. Among the strategies: a collaborative workforce, cross-functional training, and seeking outside expertise to train staff on skills for emerging technologies and the evolving threat landscape.
"You can't just go on certification and their experience alone," says Patricia Titus, chief information security officer at Symantec Corp. "Growing a team is about balancing skill sets and identifying individuals who can integrate and align with the company's business groups."
The In-Demand Skills
As they grow their teams' skill sets, leaders demand specific talents in specialized disciplines that go beyond an employee's daily tasks, requiring innovation, ability to analyze patterns, predict trends and handle growing responsibilities. Among the hot disciplines:
Manage Vendor Risk: Moretti focuses on the services aspect of what vendors and suppliers are delivering to UBS and how they need to be managed and integrated within the organization. "We want experts to make sure they understand the operational risk and control frameworks of suppliers and know ways to assess risk and quality of what comes out of this process," Moretti says.
He has seen these positions evolve, requiring far more innovation today through process modification and stabilization. For example, professionals managing vendor relationships need to address risks stemming from integrating a vendor's software to the corporate network by ensuring the vendor's software development life cycle follows security best practices and industry standards and has adequate security built in their products. "A step toward innovation is to work with them and develop technology solutions to address some of these risks," he says.
Analyze Trends and Anomalies: At Sony, Wahlin is extensively ramping up his team to address the breach fallout and build the IT security capacities around Sony's entertainment network. "We are putting a lot of emphasis on a more blended and analytical approach to security, on skills that are related to situational awareness." He is looking to hire 30 full-time professionals this year, including positions with solid engineering and security architect expertise to build processes and handle vendor and in-house products and systems. He also needs experts that work within security operations and possess the ability to analyze trends, patterns and anomalies based on raw intelligence.
"The big picture is often not known, so how security people work effectively using their keen IT security sense with a lot of unknowns and navigate to identify attack vectors and trends is important," he says. "Moving forward, we need people that are non-conformist, independent thinkers comfortable (with) working in a situation which is not clear."
Understand Business and IT Risk: Titus at Symantec is currently looking to fill the void created by a few senior staffers that recently left the company. She is looking to support her existing staff of 27 IT security members responsible for security operations globally with additional resources specializing in governance, risk management and audit assessment to take away some of the burden and workload her team currently faces.
"Everywhere, IT security teams are getting fairly integrated with the corporate network and business units, so in my vantage point I am looking for people that are well-rounded and have enough business skills to equate risk into a business impact," she says.
But for some leaders, seeking senior business and risk expertise among existing staff is a challenge. "It seems to be quite difficult to find people with strong risk-management backgrounds in Asia," says Shrikant Raman, senior manager for information risk and policy at Standard Chartered Bank in Singapore, a multinational financial services company headquartered in London. His team is on the hunt for security people that are thinking about compliance, risk management and ways to enable the business.
"(A) majority of the IT security teams here (are comprised) of desktop networking support roles and hence a learning curve exists. The problem compounds when the security teams need to understand and act rationally based on the risk appetite of the organization," Raman says.
These leaders are all looking for a mix of junior, mid-level and senior staffers in their teams such that middle management has proper succession plans in place, leaders can engage in mentoring activities and seek fresh ideas from the more junior professionals.
Growing the Team
Here are five ways in which leaders are helping their teams acquire the skill sets in demand.
- Cross-Functional Training: At Symantec, Titus is a big believer in mixing her IT security teams and giving her staff the ability to understand what other team members are doing. "I feel this type of exposure gives team members professional capabilities and exposes them to different situations augmenting their on-the-job learning."
For instance, having the audit team interact with the incident responders helps auditors understand the different factors they should be looking for while assessing IT security controls within the organization. "It happens more frequently than I realize," Titus says. "Cross-functional training enhances the ability of my team to see across boundaries, which is critical."
- Partner with Professional and Academic Communities: Moretti spends substantial time with professional associations like the International Information Systems Security Certification Consortium, Inc. (ISC)2 and the Information Systems Security Association (ISSA). He leverages their partnership with universities and colleges in reaching out to people starting their careers in information security to help them adopt a more broadened career path, which ends up in specialization within a particular discipline. "It is significant to interact with universities, articulate our understanding to those setting out on their careers and modify study modules to build the foundation for a much prepared future."
- Engage in Brainstorming Sessions: As Wahlin builds his team at Sony, he is looking to approach problem-solving and skill development in a new way. "We have conversations at least once a week where we talk about what-if scenarios - what if this happened? How would we approach the issue?" he says. He finds these sessions fruitful in engaging employees to foresee future trends and opportunities. "So far it's been a great avenue to help my team think independently and open their mindset to do things differently."
- Seek Industry Subject Matter Experts: At Standard Chartered bank, Raman has a comprehensive training program that includes sessions with specialized subject matter experts representing technology companies such as Splunk and Trusteer. Also, they have an internal risk forum within the bank that meets weekly to discuss and brainstorm ideas on risk mitigation, identifying attacks and vulnerabilities etc. "These sessions help people to get exposure to other lines of thinking and broaden their ability to get new ideas," Raman says.
- Collaborative Workforce: At UBS, Moretti gets his employees, contractors and vendors to collaborate on projects and establishes an environment that takes advantage of their unique perspectives and expertise. For instance, he finds vendors understand the business and regulatory end much better, while employees get more exposed to cutting- edge technologies through this collaborative process. "This kind of knowledge transfer leads to more innovative thinking and helps develop forward looking capabilities."
Moretti advocates for IT security pros to have a broad career path, and invest in training and certification throughout their careers.
"I look for IT security people that have a professional career plan and are able to articulate that effectively," he says. "Skill development then becomes easy as organizations put aside resources for coaching, mentoring and enhancing their capabilities within the team."