beckmarkwith - Fotolia

Infosec17: Recruit agile people for agile security teams

Organisations should enlist agile people to join agile security teams that are able to deal with the continually changing cyber threat landscape, say security team leaders

An agile security team is essential to face continually changing cyber threats, according to a panel of UK security team leaders.

So team leaders need to recruit people with potential and then grow and develop them to be agile in the context of a cyber security team, they told Infosecurity Europe 2017 in London.

“Security team leaders need to create the culture that enables members of the team to grow and develop,” said Adrian Davis, managing director for Europe, the Middle East and Africa at (ISC)2.

This is particularly important in the light of the projected shortfall of 350,000 information security professionals in Europe by 2022, he said.

In terms of creating the right culture, organisations need to give individuals the opportunity to develop their roles according to their talents and abilities to support the business in new ways, said Vicki Gavin, head of business continuity and information security at The Economist Group.

Paul Watts, CISO at Network Rail, said he believes it is essential for security leaders to trust and thereby empower their team members to work with the business to pursue initiatives that better support the organisation and help achieve business goals.

“Security is a holistic discipline that spans across people, process and technology, and is often asynchronous, with things like the WannaCry attacks happening on a Friday afternoon,” he said.

Stuart Hirst, head of IT security at Skyscanner, said it is important for security professionals to recognise that although it is not important to have all the answers in security, it is important to know how to find out what you need to know.

Gavin said that while it is important to have tried and tested procedures in place, security teams typically have to deal with the unexpected, and only by being agile can security teams respond to incidents effectively.

“Agility is about being able to take everything you know and applying that to stuff that you can’t imagine that you need to respond to,” she said.

It all comes back to adaptability, said Watts. “As we learned more about the WannaCry attack, we had to adapt our response, such as when the kill switch was discovered,” he said. “It was all about being agile.”

Read more about information security skills

Davis said another important element is the freedom to try new things and to learn from any failures, in order to become more resilient.

Asked where security leaders can find the right people to enable agile security, the panel said security leaders often have to be willing to develop team members from scratch.

“Many organisations fail to recognise that people have the ability to learn and grow, and consequently miss the opportunity of developing the people they have,” said Gavin.

Hirst said experienced security professionals can often lack agility because of their past work experience at organisations where roles are rigidly locked down and strictly process-driven.

In some organisations, he said, information security professionals do not have the opportunity to learn and use soft skills that enable them to be more collaborative, innovative and business-focused.

Mahbuul Islam, head of secure design at the Department for Work and Pensions, said security leaders need to give team members the opportunity to develop. “You have got to allow them to deliver on their talent,” he said.

But Davis said (ISC)2 research has revealed that because of the high degree of churn in information security, many organisations are reluctant to invest in developing members of their information security teams.

Recruit inclusively

Gavin said security team leaders need to rethink their approach when it comes to recruiting. “Most tend to recruit exclusively, but instead they should be recruiting inclusively,” she said. “They should look beyond technical qualifications and consider the type of person who would be good at the job the company actually needs them to do.”

Part of the problem, said Gavin, is that recruiters look to fill a role with the same type of person who had it before, rather than looking at people with different backgrounds and experience, and focusing on the actual skills required.

Davis said that (ISC)2 research shows, for example, that only 8% of information security professionals in Europe, the Middle East and Africa are women.

Watts said security team leaders should try looking for people with the right soft skills, then train and develop them technically once they are on board.

Based on interactions with schools in Edinburgh, Hirst said girls are not often attracted to cyber security. “We need to do more to engage with girls at a younger age to show them that there is a career to be had in cyber security,” he said. “We are making some progress on this in the UK, but it is going to be a long process.”

Information security professionals are often perceived as blockers to the business and so it is not seen as an attractive career, said Watts. “We [as information security leaders] need to improve our brand and talk about security in terms of enabling business to be secure and reliable,”  he said.

Recruitment can help build agile security teams for the future by looking for candidates with a broad experience base, said Gavin.

“I like to look for candidates who have done a number of different things and then use the interview to hear stories about their lives to find out what they have learned outside their working life and to test for agility,” she said.

Learn from failures

Hirst said he uses interviews to find out about people’s failures and, more importantly, what they have learned from those failures. “People tend to work better when they are not scared of things going wrong,” he said.

Asked where security should sit in an organisation, Watts said it is important for security to be part of every business activity in all areas of the organisation and at all levels.

“At Network Rail, we have our core security teams, but we also have a community of security champions who are embedded in all areas of the business to provide support, encouragement and training, as well as provide intelligence to the security teams about how the business works,” he said.

This crowdsourcing approach to security messaging and intelligence gathering is key to achieving agile security, said Watts.

Security leaders should also continually be alert to interest in cyber security from people in other parts  of the business and then provide opportunities to give it a try and make the transition by opening doors if the people are a good fit, he said.

At the same time, said Gavin, employees within an organisation who may be interested in security need to “articulate their transferable skills” to security leaders.

Finally, when asked how to keep security professionals agile, Islam said that at the Department for Work and Pensions, he regularly rotates people so they have the opportunity to face new challenges all the time and apply their skills and experience to new situations.

Read more on Hackers and cybercrime prevention