Building an Effective Security Team: It’s More Than Just Technical Skills
As part of a new video series of discussions with security leaders, Verified: Presented by AWS re:Inforce, AWS CISO Steve Schmidt sat down with Emma Smith, Global Cyber Security Director at Vodafone, for a discussion on the importance of diversity, equity, and inclusion in security teams. Watch the full video on YouTube.
Emma, a Diversity Champion SC Awards Winner, knows a thing or two about building diverse teams, and as you’ll see in the interview, the results speak for themselves. I thought I’d spend some time on the subject since one of the most frequent topics in customer executive conversations is finding and retaining security talent.
Finding quality security talent has always been a challenge. Demand is high and there are so few qualified, experienced people. Add “cloud security skills” to your search, and hiring managers feel that they have a next to impossible job of finding, affording, and retaining people with these critical skillsets.
There are some nontraditional ways of building your security teams, especially if your organization is in an area without a deep pool of security talent.
- Look internally. Do you have passionate, talented employees (technology or not) who never thought about a career in security because THEY didn’t think they had the skills? Passionate people (and great security people are passionate: passionate about protecting their customers, safeguarding their company, and defeating the bad actors that are out there) can be trained in different aspects of security. Maybe you have a passionate developer who knows nothing about security, but after some mentoring sessions with a security team member, they start writing IAM code to enforce least privilege or a monitoring script that looks for anomalous behavior. An employee in Finance or Audit who is especially good at pattern matching could be your next fraud detection expert or the human resources professional who truly understands people can build a especially effective security awareness program. Another pattern that works well is to develop a “security rotation” program with your development staff. Having a developer do a one- to three-month rotation in the security team has several positive outcomes:
- It can give the security team much needed access to coding skills for cloud security/automation efforts.
- It can give the developers a better appreciation for what security teams face in their day-to-day duties.
- It naturally builds a security ambassador/champion program. When that developer returns to their product team, they will bring what they learned during their rotation and incorporate that in their development process.
- It promotes a more secure environment!
- Develop future employees. Have a university/community college nearby with a computer science department? Help develop the next generation of security professionals, and get them interested in the profession. Help them understand that “building the next viral app” doesn’t mean anything unless it can be built securely. Use them to supplement some of the coding needs on your existing security team. Your organization will benefit immediately from some of the latest skills, and you may inspire someone to go on a whole new career trajectory.
- Think broader. What life experiences or backgrounds do your adversaries have? That’s right—you have no idea. It’s a diverse mix of people from all walks of life, from virtually anywhere on the planet. They have different motivations (e.g., political, ideological, criminal, etc.), and it is very difficult to pinpoint who these people might be and how they come up with their myriad attack scenarios. If that’s the case for your attackers, would it not make sense to make sure your security defenders have just as unique, diverse backgrounds and life experiences as possible?
- Consider military veterans. Whether they come from technology fields or not, veterans have proven themselves to be some of the most trainable employees on the planet. Veterans understand service, and are inherently predisposed for that security mindset that many organizations are looking for. At Amazon, we have an extensive military recruitment program that has been extremely successful from both an employee and employer perspective.
Security teams have a lot of responsibilities and niches to fill. Not everyone needs to be a coding guru or threat hunting ninja. You need diverse viewpoints, backgrounds, and thought processes to evaluate your organization’s security strengths and vulnerabilities with an open mind. And it is exactly that mix of diverse people and their problem-solving skills that will make your security organization stronger and more effective, make your company more secure, and keep your customers safe.
Introducing the First Video in Our New Series, Verified, Stephen Schmidt, VP and CISO, AWS
Cultivating Security Leadership, Stephen Schmidt, VP and CISO, AWS
Traits of Highly Successful Security Organizations, Stephen Schmidt, VP and CISO, AWS