The ability to build high performing security teams is fundamentally one of the most important elements of success as a security leader. I’ve built security organizations at two major companies that were responsible for protecting systems and applications for hundreds of millions of users around the world, and through these roles I’ve learned several elements that are key to finding and growing amazing security professionals.
Many security leaders first pursue a path of hiring security professionals through an external search. This is a challenging proposition for several reasons. First, the dynamics of the security market is one of “negative unemployment”; security professionals have their own role and easily one or two high probability options they can easily move to. This isn’t to say that a security professional couldn't be lured away from another company, but it isn’t the easiest path and you’ll likely be competing with others for that candidate.
Instead of focusing all of your energy on external sourcing and hiring, take a step back and ask yourself if you can grow and mentor a security professional from an existing strong performer elsewhere in the company. To explore this possibility, we first have to look at the fundamental skills of a security role and shed our preconceived notions of the classic “security job description”.
At their core, a security professional is a set of specialized skills on top of a core base knowledge within a technical field. For example, application security engineers require a base skill in software development. Network security engineers require a networking base and security operations individuals require a solid knowledge of operations systems and IT.
On top of this base technical knowledge is incremental security knowledge, which is a combination of core security principles, threat modeling, and risk management. Lastly, there is an operational element from established policies, tooling, and automation.
Of the two major components, base skills and security knowledge, it is far more important for a security practitioner to have a solid grasp, ideally through direct experience, of the base skills and then learn the incremental security knowledge. What this means is that we don’t actually have to limit our search to established security professionals. Instead, we can seek out high performing individuals in the base fields and mentor them with the incremental security knowledge.
This is a critical realization since we can now search for potential security talent within our existing organization!
In pursuit of the future security professional we must do a few things. First, we must dispel the classic security job descriptions. No more need for specific certifications or prior years of security experience. Instead, pursue the security mindset and mastery of foundational skills.
Second, we must build a solid mentorship program to provide the new security professional the opportunity to learn the new security skills. Since the individual is an existing employee from within the company they have a massive advantage over external hires - they know the internal tech stack and how work gets done in the company. This is huge - don’t underestimate its power!
For the mentorship, it’s critical to pair the new security individual with an existing senior member of the team. Next, the new member must go through a crash course on security specifics related to their role. This involves covering the core security principles first then specific training that combines offensive security exploitation with the corresponding defensive modifications to close the risks. Hands on experience is key to solidifying an understanding of the risks.
At this point you have all the key elements of a great security professional. Now is the time to move them into actual security projects with the team. During these projects keep the individual paired with their mentor to enable that feedback loop and learning. Also be sure your team has established runbooks and processes for the work. If existing security operations are just based on the gut instinct of the individual security member, then you have some basic blocking and tackling to cover first.
After a few small projects, along with feedback from the mentor and manager, you will have a very capable security team member and a wonderful addition to the team. Your objective at this point shifts to the same objective you have with the rest of the team.
Build and foster an environment where security professionals want to work. This requires a steady security strategy from the leader, clear communication, appropriate shielding from top down politics, and creating an amazing environment to learn and grow.
If you can do all these things not only will you identify a new method to find your next great security professional, but you will also build an amazing team of talented security professionals that are excited to work and learn at your company.