The most fundamental truth in information security is that we need smart people to do the most important parts of the job. Regardless of how many racks of servers, gazillions of dollars of software, or dozens of threat intel “feeds” we invest in, they won’t provide the slightest impediment to adversaries without real live humans to run the show.
This doesn’t just mean a warm body to evaluate products and services, or a team to install and click the “start” button. It means people with analytic mindsets who can fuse business and security requirements or constraints with knowledge of technical solutions and their capabilities and shortcomings.
The catch: this mythical person often doesn’t exist.
If you’re lucky enough to find an individual who fits the bill, your next challenges will be growth and retention. Knowledge and skill sets have a pretty short half-life in such a fast-paced industry. To find success, security leaders need to train the right individuals, and develop an effective team.
Training vs Team Development: What’s the Difference?
Training and team development are often considered in the same vein, but each has distinct goals.
Training develops the individual team members so they have the skills to meet current and future tasks expected of them. This shows investment in the individual, and installs trust that the organization wants to keep them on board into the future.
Team development is building an overall organizational structure that will sustain projected growth within the organization. It takes into account aspects such as:
- Headcount and technology footprint
- Anticipated shifts in the organization itself, such as M&A
- New product/service lines
- Personnel turnover (If all of the above are done well, personnel turnover should decrease significantly)
Let’s take a deeper dive into each area and look at practical tips for achieving success.
How to Successfully Train Individuals
Training is available in many different forms—not just the traditional classroom environment. I spend a significant amount of time teaching for the SANS Institute, where I am a certified instructor and course author. But I’ve also managed large teams with diverse training requirements—both with and without a respectable budget.
Don’t count out training if your budget is limited. Look beyond traditional options and choose the mix that best suits your team, mission, and budget.
Consider These 7 Types of Training:
1: Vendor Training
You’ve purchased the software or hardware, so you better be able to use it. Count the training as part of the cost. Don’t forget to consider re-training with new versions and new personnel.
2: Training courses
Vendor training focuses on how to use a specific product for a specific task. While important, these generally overlook the fundamentals. Identify vendor-neutral training courses that will help your team to better understand WHY they do what they do, not just what buttons to press.
When appropriate, certifications can be an effective way to show team members are versed in the concepts that underpin the certifications. I recommend against making these mandatory for employment, as this can lead to “certification overload” in addition to overwhelming (or, in the case of bargain certs, underwhelming) requirements just to establish some kind of requirement baseline.
4: Individual research
Let your team follow their interests. This will develop a wealth of skills that you may not even realize you need. Admittedly, the fabled “Google 20%” time is not feasible for most organizations. However, assigning projects with a valid business-case that also fit an employee’s interests—even if slightly outside their core job requirements—can provide a worthy distraction that keeps employees interested and their skills fresh.
5: Academic degrees
Most employers have education reimbursement programs, and this is a great thing to encourage for employees that are interested in acquiring a degree. However, making this a mandatory benchmark often creates an artificial career limit for talented but classroom-averse team members. Requiring a certain degree could create a ceiling for exceptionally talented team members.
6: Speaking at conferences/events
Encouraging employees to submit to conference calls for papers/presentations (CFPs) is a great way to establish their expertise (as well as your organization’s) in the information security community. Plus, I can say from experience that you never realize how much you need to learn about a subject until you prepare to teach it. (In turn, this leads to a deeper understanding of the topic through learning.)
7: Peer training
It’s certainly not feasible to send every team member to every worthwhile training course, so peer training is a great way to share the knowledge. However, be careful about licensing of training materials—sharing them among team members may not be permitted. Instead, encourage team members to provide a one-hour training event for the whole team that summarizes the biggest takeaways. This approach will maximize the value of the training, limit the time your overall team spends picking up the new information, and most importantly establishes the team member providing the takeaways as the expert in the subject.
Team Development: Tips for Success
Developing a functional team is wholly different than developing capable individuals. This part of the process involves ensuring the organizational structure is devised and implemented in a way that will ensure your team members have a way to contribute to the best of their growing abilities. That means both a place to participate today, and a position to aspire to in the future.
Consider these 7 elements to successfully develop a team:
1: Career path
Hire team members at all levels—from intern to leadership and everywhere in between. Avoid the temptation of hiring all “senior” staff. This is always a short-lived experiment that doesn’t provide a growth path for the team members or the organization itself. Include career paths for both technical and management; not everyone wants to be promoted “away from the keyboard” and into leadership.
2: Advancement opportunity
Document what it takes to be considered for each level of promotion. This shows team members what they need to do to reach the next level, while ensuring a level of consistency across the board. Don’t tie salary ranges to a specific promotion level. Allow a long-serving, top-notch senior to stay a senior and advance their salary without forcing them to be promoted into a new position.
3: Hire into the established team structure
Ensure new hires brought in at a certain level are consistent with the stated promotion requirements. This ensures new and existing team members are treated consistently in the spirit of the organization’s personnel structure.
4: Establish level-appropriate tasks
With a team covering a wide spectrum of skill levels and experience, ensure the work assigned generally covers the same spectrum. This is also an opportunity to pair team members of different experience levels together in a formal or informal mentoring arrangement.
5: Build an intern program
This is possibly the absolute best way to establish a pipeline of known, vetted, and trusted new team members. A proper intern program—with appropriate pay for real tasks that benefit the team and organization—will build an immeasurable amount of support for newcomers. This takes time and attention; generally a dedicated intern wrangler is needed to make the program work. This wrangler should be a technical team member with at least some management experience.
6: Have fun and encourage team interaction
This doesn’t mean simply buy a bunch of nerf guns to leave around the office, have a standing monthly after-work get together, or create “mandatory fun” events. Those can be a part of the equation, but you may find greater success by watching the team interact and finding ways to encourage and support the natural interactions among the team members. In all honesty, this is not always easy—it’s often more a sociological process than a management one.
7: Build the team the organization needs
Plan and justify a team that’s the proper size to handle existing and forecasted workload. Before the next big acquisition, product launch, or business pivot, ensure the team is on board and ready to go. Onboarding during a major work surge is really complicated and difficult to do well. Furthermore, the horrible concept of “do more with less” is an addictive drug that causes burnout and distrust. Build the workforce you need and you’ll be far more streamlined, efficient, and effective than you ever would be by simply adding more work to an existing team.
A Few Final Thoughts
As you might have thought once or twice in reading the tips above, these are not problems unique to the information security industry. In fact, you or I could make a compelling argument that these are really just some tenets of solid, scalable, and trustworthy leadership.
I may be biased in this statement, but I strongly believe that information security is a critical component of nearly all businesses operating today. Don’t wait for the post-breach report to call out your management for not paying sufficient attention to the team’s training requirements or the total lack of strategic management planning. Think of how to strategically build your information security team into a powerhouse that supports the business objectives today, tomorrow, next year, and beyond.
Like this? Read other popular posts from this author:
- Common Security Mistakes: (3-Part Series)
- Passive DNS Monitoring – Why It’s Important for Your IR Team
- What to Do When Threat Prevention Fails (Hint: It Always Does)