Govciooutlook

How to Build Your InfoSecurity Team

By Kevin Burns, CISO, Draper

Kevin Burns, CISO, Draper

As Chief Information Security Officer (CISO) at Draper, it is my responsibility to ensure that our digital assets are secure, yet available to our employees who work on deeply technical and complex initiatives for customers in the government, academia, commercial, and non-profit sectors.

However, one of the challenges all CISOs face in this current information security employment market is building a team and infrastructure that can anticipate and address the numerous and varied information security challenges. ‘Be prepared, be responsive, and move quickly’ is our mantra.

"A job in InfoSec takes more than technical know-how"

In practice, CISOs succeed when they can be two things at once: highly proactive and highly reactive. A vitally important way to get there is to recruit and shape an effective information security team. However, a job in InfoSec takes more than technical know-how. There are certain hidden traits that are just as important.

Characteristics that make a solid InfoSec candidate include: an innate passion regarding protecting the workplace from cyber threats, a basic understanding of business concepts, as well as a great desire to break out of their comfort zone. Candidates who aspire to become an information security manager, engineer, analyst and eventually a senior leader must possess a strong technical background, business savvy, an organizational mindset, and passion to deliver.

Recommendations:

Recruit in Person. If you want to build, shape and lead a high performing team then you need to get out from behind your desk and go meet your next candidates. CISOs and managers need to somehow find the time for activities which bring them in contact with future employees. While the tried and true “job fair” events and posting sites serve their purpose, a quicker way to make real, personal contact is through activities such as guest lecturing at local colleges or volunteering as a judge at a hackathon. Also, volunteering to be on panels and governing boards of local cyber oriented events and organizations result in connections with otherwise unknown candidates.

Such appearances put our “brands” out there to foment introductions that otherwise would not happen. Your next prospect may then tell you they are looking for a job, but what they really want is to work for a team at an organization with which they can find a real connection. This is your opportunity to bring your personal brand to them, and therefore make that connection.

Screen for Business Thinking. The profile for an efficient InfoSec team starts with a deep and growing technology skill-set. However, another important component is experience or training in business or organizational leadership. Ask the tough questions of the candidate. Are you willing to gain an understanding of the business and budget issues? Do you have leadership experience? Can you direct a team?

Invest in People. Encourage employees to pursue degree and certification programs. An employee with a degree or concentration in information security demonstrates a strong commitment to the organization’s success. Investing in your people will help you retain them as well. A recent Randstad survey revealed that a lack of career growth is the top reason employees leave jobs. Only about half of job seekers said their most recent company had helped them advance in their careers. At Draper, we emphasize the importance of earning and retaining certifications (CISSP, CISM, etc.). Our commitment to our employees lies in a robust training budget coupled with a push for soft skills. The investment in the soft skills areas is advantageous in that those skills help gel the teams as well as create future leaders.

Be Open to Variety. As a lecturer within an InfoSec master’s program, it is astounding as to the variety of talent and career experience that I encounter. The students work as attorneys, bank compliance managers, in law enforcement as police officers and as federal investigators at the FBI. This variety can bring diversity to the InfoSec teams which in turn bring synergy and helps retain the team as a whole. With all the competition for talented cyber analysts, the workplace must be challenging, rewarding, and stimulating and that can evolve by bringing on staff with varied backgrounds.

Given the evolving threat landscape, it is no surprise that the field of information security is booming. A report issued by Burning Glass Technologies reveals that job postings across the industry have grown 74 percent between 2007 and 2013—twice the rate of all other IT jobs.

The field is expected to grow over the next few years. The U.S. Bureau of Labor Studies has projected an 18 percent growth rate among information security analysts between 2014 to 2024.

Again, I make the pitch that we need to innovate relative to our recruiting methods as a means to set ourselves apart and that innovation certainly includes the time, effort and energy away from the workplace. Your next InfoSec employee is waiting to meet you.

10 Most Promising Homeland Security Solution Providers 2017

Homeland Security Issue

Invictus International Consulting: Cyber Spartans At Work