Focusing on People vs Technology in INFOSEC : Additional thoughts

Posted on July 22, 2012

This evening I came across this rather post on titled “Focusing on People vs Technology in INFOSEC” and it struck home. Everything in there I agree with. I would suggest you go and read it (link here).

I don’t want to plagiarise huge sections of the article, but am quoting fair bits of it below to introduce my own thoughts on the matter. To summarise (and paraphrase):

  • Organisations seem happier to invest in technology, such as security products, rather than in people
  • Organisations tend to have higher capital expenditure budgets rather than operational (direct expenditure)
  • There is generally a lack of people and programmes to support security technology implementations
  • There needs to be a much greater focus on people, without the right people product implementations fail

The author then goes on suggest eight steps to consider when building a security programme. These are repeated verbatim below :

  1. Focus on culture and having a fun environment for your people to work.
  2. Sending the team to security conferences and additional training events.
  3. Have a clear and concise roadmap for your team and an understanding of career advancement.
  4. Focus on building security programs first before ever investing in technology — use technology for automation.
  5. Work on automating and streamlining processes versus adding additional work on broken ones.
  6. Staff appropriately and fight for additional headcount where it is needed. Be careful on over hiring.
  7. Take time out of your day to focus on people and seeing how they are doing and if there is anything you can do.
  8. Communication. Communication. Communication… Did we say Communication?

I agree with all of the above. There are organisations who want to hire experienced people who can come straight in and do the job, who have all the experience and qualifications, but then don’t want to send them on training or want them to learn new skills. I find this to be a very short-sighted view. One of the hardest parts of setting up and running an effective information security team is finding and retaining the high calibre staff which will make it successful.

What will attract the right kinds of people? A learning environment. One where they can come in, be part of a team, have fun, learn new skills, share existing skills and knowledge while making use of these skills and taking themselves to the next level. I have always found that by encouraging people in your team, across all levels, to study, to take on new challenges and to better themselves boosts the confidence and productivity of all. I see a lot of debate around whether CISSP or CISM is the better qualification, or sometimes whether they have any value at all. That is largely irrelevant in my view. I would (and have) encourage my staff to do either. Going through the process helps the inexperienced learn new skills, and gives recognition to those who already have the skills. This is good for self-confidence and career prospects, either in the organisation or outside.

I have also found that by focussing on people and teaming, people will develop loyalty, both to you as a manager and mentor, as well as to the organisation. You are more likely to retain these people longer, and reap the rewards from the investment that has been made, despite the fears that once qualified they will leave. When you have a great learning environment then people will also be attracted to come and work with and for you. Half the battle is then won.

All the grand plans in the world will come to nothing unless you have people who will work with you, support you and enable those plans to come to fruition. There are going to be times when a lot of hard work is required, but, hard work towards a known goal, where you are learning, having fun and being productive doesn’t always feel like hard work, and staff will give of their extraordinary efforts willingly. At the same time, don’t take them for granted. Small gestures can go a long way.

In all of this, technology is also important. Not so much the technology you end up implementing, but the technology you make available to the staff to experiment, play and learn with. While (mostly) any tool can get the job done, key is making sure that you know those tools intimately. When they are in production it is hard (and dangerous) to play with them, however, having a lab environment with the right hardware, software and connectivity gives the freedom for people to learn and become the best they can be. This also keeps the job fresh and rewarding. Don’t forget this when preparing the budget – even though it may appear to be an unnecessary luxury. Be prepared to debate around and defend this portion of the budget just as much as your capex, salaries and training.

@dave_rel1k (I am assuming you wrote the piece), thanks for sharing, and reinforcing for me the important aspects to focus on when building an information security team who can transform the organisation.

%d bloggers like this: