Scripts in Python
Codes in Go
+10 Years in Cloud
Lots of Blockchain
DevSecOps (whatever that means)
Can run a 0 day vulnerability incident with 20 cross functional team members
Knows PCI DSS & FedRAMP
Ability to present to the Board of Directors
Can speak with customer CISOs
Pre-sales security support
Embrace company culture and mascot Rusty the Badger
Speak 3-5 languages, including Mandarin
Does this sound like your search for top information security talent? Finding, hiring, and retaining top tier information security talent is a challenging endeavor. As someone with a passion for building information security programs, I wanted to share my 10 tips for building high performing information security teams.
1. Information Security is a Function, Not a Person.
Sometimes when I look at an information security job posting, I feel like the employer expects a one man or woman band; someone that’s playing the guitar, harmonica, keyboard, and drums all at once. Too often, business and IT leadership view information security as a role for one person in the company.
Information Security is a function. I like to break up this function into three distinct buckets:
1. Risk, Controls, Compliance
2. Security Architecture and Engineering
3. Security Incident Response & Threat Intel
Each of these buckets have varying skill sets that work in tandem for a successful information security program, such as: attention to detail, people focus, technical focus, audit background, hunting, scripting, writing and speaking.
In larger security programs, these buckets can be expanded to functional areas like pen-test red teams, hunt teams, privacy, vulnerability monitoring, etc.
2. Build for Stability
Information security functions are inherently unstable due to the rapidly changing threat landscape, the complexity and velocity of technology changes, systematic under investment in information security programs, and the security talent deficient. How do you build stability for something that is inherently unstable? Here are some tips:
In-person matters. I vote human. Security teams function best with person to person interaction with stakeholders.
Hire local. You have two strong candidates. One of them lives 15 minutes from the office, and has been working at a local company for 8 years. The other candidates has lived in 3 cities in the past 2 years, has an hour commute to the office, and is asking to work from home 2 days a week. Hire the local candidate.
Build the security leadership team first. A CISO needs to have a core leadership team of at least 2-5 directors/managers with specialized functional information security competencies.
3. Fight for Your Stakeholders
Who is your favorite person at work? I can guarantee you it’s NOT the person that gives you the ‘not my job’ response all the time. The people we like to work with best, are those people that go out of their way to help YOU do your job. In that context, I think of information security teams as service providers, with internal and external stakeholders including employees, customers, auditors, law enforcement, investors, and the board of directors. Providing a high level of service to these stakeholders drives a positive perception from cross-functional teams at the company such as Marketing, Finance, Engineering, HR, and Executives. If people like your security team, and view the team as credible and helpful, it’s much easier to drive security improvements across the org.
4. Be a LinkedIn Stalker
LinkedIn provides a window to quickly identify candidates that have specialized skill sets. For example, when I was hiring for my risk and compliance team, I personally reached out to 40+ experienced risk assurance associates at the Big 4 accounting firms. With the volume of Linkedin recruiter messages, I have found that candidates are much more willing to respond to a practitioner. From that pool of candidates, I built my own pipeline of 6 or 7 candidates which I gave to my recruiter and started interviewing.
5. Complementary Hiring
That purple squirrel doesn’t exist in the wild, but with enough robotics experience, and a can of purple spray paint, you can create your own purple squirrel. On a serious note, by hiring information security professionals that bring complementary skill sets to the team you can create your own purple squirrel. For example, I need my Risk and Compliance Manager to be a highly organized and detailed focus ex-auditor to handle 400 documentation requests for a SOC 2 audit. Part of those audit requirements include monthly vulnerability scans that my Security Architecture and Engineering team needs to configure, triage, run, and work with engineers to patch systems. If my Incident Response Team detects a threat that is targeting a particular customer, they will work with my security engineering team to assess any outstanding vulnerabilities. An information security team that is highly complementary and integrated creates an information security program that is better than the sum of the parts.
6. Do you Speak Klingon?
The strongest Information Security team members can speak both ‘Engineer’ and ‘Business Person.’ Having engineers view your team as credible is critical for your security team. Credibility comes with speaking their language. Do I know how to code? Absolutely not. Can I get a room of engineers to support me when I talk about “ threat models of TCP fragmentation DOS vulnerabilities to the availability of a managed DNS platform.” Absolutely. At the same time, if I speak ‘Engineer’ to the VP of Business Operations, he will look at me sideways. I need to be able to articulate a risk in business terms – tied to customer operations and revenue.
7. Cyber Security Therapist
Often, I feel like I’m a therapist. At least once a month, I get pulled into a conference room because an engineer wants to share a security issue that’s been gnawing at their soul. Here is an excerpt of a confessional from an engineer, Jackie:
“Brian, I was performing my peer code review, prior to accepting Pradeep’s pull request, and I found a hard coded password...”.
Then I said, “It’s ok, go on”.
She continued in a whisper “The password...it’s...banana”
If you build trust with your stakeholders, they are willing to share security risks with you. After they share a risk, they walk out of that conference room a new man or woman freed of their security sins.
8. All Work and No Play Makes Jack a Stressed Information Security Professional
Information Security is stressful. The pressures of cyber security attacks, customer security requirements, never enough resources, fragmented security tooling and technology market, and complexity of implementing security requirements all adds up to a large pot of stress. It’s important to recognize that too much stress and anxiety can have adverse effects on team morale, the health of your employees, and their performance. To help break the cycle of Information Security fatigue, I have a quarterly ‘Team Day’ that typically includes an activity, food and drink. Additionally, I’ll fly in remote employees for the week to be there for team day. The cost of these events is insignificant compared to the cost of losing a team member from burn out, and having to replace them. Successful past team days:
FedRAMP Chicken Wing Party Bus: We completed FedRAMP, and can now sell the federal government cloud services! What better way to celebrate than having a party bus drive around Boston with all of the contributors, 250 chicken wings, and coolers full of beer and spirits.
Two hour kayaking trip in Boston Harbor, followed by lobsters and crab legs.
10 am brunch, then a game of ‘Escape the Room’ – promoting teamwork on a belly full of bacon and waffles.
9. Replace Chaos with Order
The volume and complexity of information security and compliance requirements can be chaotic. One day your Nessus scan spits out 200 vulnerabilities, the next day you have 300 pieces of evidence to gather for an audit and there is a security incident for an encore.
I have put together my teams using an Agile Kanban methodology to track and manage our work queue in ticketing system. Additionally, that’s fronted by custom ticketing system workflows where other teams can make requests; security architecture review, customer compliance question, vulnerability disclosure, etc…
10. Stay Positive
Most security teams feel undervalued, underfunded, overworked and under loved. They are typically fighting for something – budget, management buy-in, product management prioritization, headcount, or escalation of a security incident. During the fight, it’s critical that you use the momentum built to channel positive energy. Play up the underdog role. Talk about how even with the challenges and headwinds faced within the organization we are making progress, reducing risk, serving our customers, and building a great program.
About the Author:
Brian Castagna is Director of Information Security for Oracle Cloud Infrastructure Edge Services. He has over 14 years experience in technology auditing and building information security programs and early stage technology companies including Jumptap, Acquia, Dyn (acquired by Oracle). He has expertise in Data Privacy, Security Incident Response, Threat Intelligence, Security Architecture, Security Engineering, Risk, Controls, and Compliance leading successful security audits across multiple verticals including FedRAMP, HIPAA, ISO 27001, SOC 2, SOC 1 and PCI DSS.
Brian holds various information security certifications including CISSP, CISM & CISA. He holds an MS in Accounting Information Systems and a BS in Computer Information Systems from Bentley University.