Jeff Silver, senior security engineer at RSA corporation, gave a talk at (ISC)2 Congress in Orlando, Florida, on how to build up infosec professionals through mentoring programs.
Silver runs the mentoring program at RSA, and believes in the importance of a mentoring culture in organizations. In fact, he claims it can aid retention and enhance team culture. Retention, he said, is so important. “It’s hard to find good qualified people, and when we lose them it hurts.”
“Every organization has security professionals that can be identified as mentoring material. Make your best people mentors, they feel valued and they stay,” he said, claiming that getting good mentors on board will have a positive impact on team culture.
Silver gave the following advice for how to be an effective information security professional mentor:
- Mentoring technical personnel is not technical training. Never make this mistake.
- The mentor should always establish the first meeting.
- Trust and transparency is essential for a successful mentor relationship. Establish it in the first meeting. The mentor should go first: share life experiences, share the mistakes you made and how you recovered.
- If you’re not willing to get personal and be transparent, don’t be a mentor.
- If you find you have opposite world-views, move past it. You don’t have to agree with each other – your job is to build them up as a security professional.
- On the second meeting, explore the mentee’s career aspirations and their current situation.
- Don’t be afraid to assign small homework assignments – even if it’s just creating a LinkedIn page. This helps you to get a feel for the tempo of your mentee.
- Help your mentee build their own brand: Discuss professional organizations and certifications with them. Suggest industry reading.
- Explore what interests and passions your mentee has above and beyond their core duties. Help them to establish their knowledge, abilities and willingness to help others inside and outside the company. This is crucial to an employee’s brand.
- Never discourage a mentee from pursuing additional responsibilities and roles, but make sure they understand any element of risk that may be present.
- Explore corporate relationships with your mentee: You can make a real impact in this area.
- You should help your mentee develop their relationship with their boss in a strong and constructive manner.
- Discuss their relationships with their peers: do they know where they fit on their team? Do they understand the importance of team culture? Make them understand how and where they stand amongst their peers and how to best work with them.
- Remember that as a mentor, you are responsible for the confidentiality of your mentoring conversations.
- Unless it’s illegal, immoral, unethical or dangerous, you have a responsibility to keep it confidential.
- If an issue is raised that you believe needs reporting, empathize, give them positive options and recommendations, and strongly encourage them to talk to their manager. Check back with them after a suitable time frame to ensure they had that conversation. If they say no, tell them you’ll get their manager to call them and that you expect them to tell the manager the details – force the conversation forward whilst holding their hand.
- Understand what technology are they passionate about and guide them.
- Remember that you’re an authority figure – whether formal or informal.
- Don’t try to be cool or liked. Your objective is to make them into a world-class security professional, and in doing so, you’ll likely build a good relationship organically.
- Always remember that you have an opportunity to help guide your mentee through their next career steps.
- Talk to your mentee about plans they have regarding the corporate office. Advise them to be pro-active - find reasons for them to go there, help them establish meetings, encourage your mentee to set up meetings with people in other departments.
Finally, Silver added that mentors sometimes need mentoring too, and advised that they bounce ideas off people when needed, without breaking confidentiality. “Every mentor program needs an administrator,” he concluded.