National Public Radio (NPR) reported several weeks ago that the United States government was seeing a shortage of qualified ‘cyber (security) warriors’, that is professionals who are skilled enough to effectively protect the US digital infrastructure from cyber attacks.
The original article lives here: http://www.npr.org/templates/story/story.php?storyId=128574055.
The article glanced at the general problem and what the US government was doing to recruit professionals in the future. It might have been the brevity of the article, but I hope the US government has also incorporated into its overall strategy how to acquire and retain those good security people, since retention seems to be one of the roots of the problem. In my experience as a security manager, retaining people is somewhat of an individualized art. Some people want more money, some people want more responsibility, some want less, promotions, etc — it just depends on the individual. There is however a science side and I’ve found that there are some universal mistakes you can make to almost guarantee a loss of your best security people, and my top three are:
- A**hole driven security
- Wrong team strategy/charter
- Making it all about security
Top Way to Lose Your Best Security People #3: A**hole Driven Security
In my experience one sure fire way to drive away your best security people is to incorporate and internalize the tactics of what I call “A**hole Driven Security Teams” tactics. I adapted the concept from Scott Berkun’s blog post, but the idea is simply this: a security team that is led by one or more individuals exhibiting high a**hole-like tendencies and tactics. This one is going to need further explanation.
In an information security setting there are generally two players. A team that creates the risks, such as an IT or product development team (Team A) and a team that is responsible for mitigating those risks, such as a security team (Team B). Ideally, Team B will help to identify those risks and work with Team A to understand those risks, and then close the loop by creating strategies to reduce those risks.
Now if a disagreement arises (as it often does), for example Team A feels that the mitigation steps required by Team B are unreasonable, there are two general approaches I’ve observed. The first approach (Approach #1) is the approach discussed above, the non-a**hole driven approach, where Team B will works cooperatively with Team A to identify, understand and reduce risks. Many if not all of the best and most effective security people I’ve known work in this fashion. The second approach (Approach #2) is the a**hole-driven security team approach where compromise and cooperation tend to be least favored and tactics like the following are used by Team B:
- Try to defame and discredit someone in Team A, often to upper management, their partners and in a behind-your-back fashion;
- Use embellishment phrases and words during mediation, such as “confidence crisis” and “catastrophic errors” to overstate their authority/charter/or discredit a team or individual they oppose;
- Escalate through the opposing team’s management chain, un-announced and in a non-mutual manner; and
- When their their tactics are exposed and found unjust, they mysteriously go into radio silence.
- More …
The best security people I know just don’t work in this fashion. Office politics are a reality of any professional setting and when great security people find themselves embedded in an a**hole driven security team I’ve observed two very clear effects. The first is those best security people stay and become a**holes themselves and produce a now larger, more dense collective. And the second is they leave for other teams and companies that favor Approach #1 over Approach #2.
Top Way to Lose Your Best Security People #2: Having the Wrong Team Strategy/Charter
You would think that after a**hole driven security teams there are no other more toxic ways to lose your best security people, but there are. Whereas a**hole driven security is in-your-face and fast-acting, this next one is not so apparent and slow-moving where you sometimes don’t even realize it’s there. The next way to lose your best security is having the wrong team strategy/charter.
I’ve seen security teams make their group’s charters something like, “If people in this company don’t hate you, you aren’t doing your job” or “We can stop products from shipping.” Granted, those are reasonable team charters to have, but … ah, forget it … I was going to tippy-toe around this one, but I’ll just say it then: that is just stupid and foolish. Why would you ever make your team’s charter akin to “we throw pies in the faces of our colleagues”?
Yes, a security team’s objective may very well to make sure products and services meet some minimum security bar, and in the process may make other people’s lives more difficult, delay product ship schedules, etc., but when they write that on their flag and wave it around guess what eventually happens? Those teams get ignored and/or met with hostility.
Stick your best security people in a team like this and they too will be ignored and/or met with hostility by they very teams they need to work with. Those best security folks can’t get their job done effectively, job satisfaction continually drops and over time they will leave.
Top Way to Lose Your Best Security People #1: Making it All About Security
The first two top ways to lose your best security people focused on a security team’s outward facing actions. This last one however focuses on the inward facing actions of a security team, especially by team managers. I kept this one as the last top way to lose your best security people, because I feel that even if you get the first two right, this last one can still break you in the long run and you’ll lose your security superstars.
One of the first arguments established in the book How to Win Friends and Influence People, by Dale Carnegie, was the need for people to feel important, to understand what is important to them and to be acknowledged them in some way. Security people, especially the best ones, are no different. This is management 101. What is not so 101 is that as a security manager, if you want to retain your best security people, you need to be acutely aware of what is individually important to each of your best security people, and here’s the twist — it may not be about security!
It’s only natural to think what’s important to a security team, must also be important to the members of the security team right? Well that’s not always the case, and this lesson came to me when I had a post project conversation with one of my past team members, we’ll call him John. It was several years ago, but it went something like this:
- Kevin: “Hey John, great job on the penetration test you lead for Customer X. They are super happy with the findings and impressed with your remediation plan you created. Nice work!”
- John: (Pause) “Thanks Kevin, …”
- Kevin: “You don’t seem to be as excited, what’s up?”
- John: “Well, I wanted to get some experience learning how to write code, hopefully next project I can get an opportunity …”
I learned a really important lesson from this conversation, actually two. First, what might be important for the team, might not necessarily be individually important to the members that make up that team. In John’s case, he was happy that our team delivered and exceeded our customer’s expectations (it was all his work anyways), but what was really important to him deep down was the opportunity to grow (to learn to write application program code). That’s the ‘understanding what’s important’ part of Dale Carnegie’s book. The second is reward and acknowledge based on what is individually important to your best security people. That’s the ‘feeling important’ part. For the record I am not advocating that security managers should start stroking the egos of all their reports. That’s disingenuous and people will see through it. What I am advocating is if you fold in what’s important to each of your best security people with what’s important to the team and what’s important to your company, it’ll go a long way in retaining your best security people. If you don’t, well you know what will happen eventually.
Alright, those were my top 3 ways to lose your best security people: a**hole driven security teams, the wrong team strategy/charter and making it all about security. What are your top 1-3 ways?
LOCKBOX, the easiest to use and most secure file transfer service: http://www.golockbox.com