Speaking in the keynote session 'Rethinking Security Teams to Address the Skills Shortage & Secure the Business' at Infosecurity Europe 2018, panelists were united in agreement about having a blend of talent and diversity to build the best team.
Cory Scott, CISO of LinkedIn, said that if you only employ “tricksters” nothing will get fixed, and that is why you need to look for all types “and why diversity and narrative should be in your mindset. If they look like you and all have the same background and education you end up with a homogenous group of individuals who are not serving the business.”
Scott added that you want a collection of people with different narratives and different types of functions, but that “trickster” narrative was also important to understand how the next attack pivots, and you want an engineering wizard to solve problems at scale and not just do a manual review time and time again.
Christian Toon, CISO of Pinsent Masons, likened the building of a security team to Marvel’s Avengers where there are participants with different skills and backgrounds. He said: “There is not a skills gap, there is an attitude gap and that is why you hire.”
In terms of internal development, Toon encouraged delegates to consider “giving people a career, a job and then give them something else” like training and education opportunities.
“People want to grow and develop, and give them training and meaningful qualifications that enhance your security team and treat them as individuals,” he said. “Look at every walk of life, every gender and you need to tell HR they need to positively discriminate.”
A question from moderator Wesley Simpson, chief operating officer, (ISC)2, addressed the fact that women only make up 8% of most security teams, and only 7% are women under 29, and Simpson asked what is being done to cast the net wider?
Toon recommended looking at incentivizing those looking for a career change and encouraging those only able to take on part time roles, while Scott said that there are three areas to consider:
Having an inclusive and supportive culture, where you listen to your employees and understand how to measure culture.
The second is about hiring and getting the right type of candidates and an “unconscious bias” in organizations who don’t understand your message.
The third is about establishing ability with a wide group and focusing on the development of the organization.
Closing with a discussion on the role of recruitment agents, Toon said that he finds “recruiters difficult to deal with, and the right ones are worth their weight in gold.”
Mun Valiji, CISO of Sainsbury's, said that there is too much time spent trying to get “a CV match” and not enough spent on getting the recruitment agent to understand requirements that the company is trying to fulfill and understand the business and engagements.
Emma Smith, group technology security director at Vodafone, argued that the more the recruitment company knows about the business the better the match. “We make sure every role goes through the gender language tool” and that recruiters can help with that, and make sure that the recruitment process is a personal task.