Two of the most pressing cybersecurity tasks of our time are the need to dramatically grow the size of the workforce, and to create one that is agile enough to keep up with the shifting sands of today’s business landscape. Infosec Europe’s keynote panel session “Building an Agile Security Team for the Future,” chaired by (ISC)²s EMEA managing director Adrian Davis, saw leading frontline professionals from travel search giants Skyscanner, to transport operator Network Rail and the UK government, discuss how these challenges might be addressed.
The first key insight was that an agile cybersecurity team cannot have fixed, traditional role boundaries. Having fluid job roles allows cybersecurity professionals the ability to learn new skills, aspire to achieve managerial positions and help other business units by working outside their “techie” comfort zones. Crucially, the ability to transcend fixed role boundaries gives the flexibility to adapt to a diverse array of threats. Network Rail CISO, Paul Watts, explained how professionals in his team are constantly talking to, and working with, professionals from other teams and departments, as they recognise that innovations must draw on as wide a pool of expertise as possible, and that cybersecurity now encompasses all business units.
Vicki Gavin, head of information security at The Economist Group explained that the key to achieving a team that transcends traditional role boundaries was to “hire for inclusivity, not exclusivity.” Pruning the job specs helped to draw in a more diverse pool of talent. Women, for example, are less likely to apply for roles with lengthy job specs, unless they believe they are fully competent at each one of them. It is also vital to remove unconscious bias from the recruitment process; for example, building role profiles around the last person who did the role means that recruiters are continuously hiring the same kind of person – largely older males – and failing to open doors to millennials, women and people from other professions.
Rather than exclusively hiring qualified off-the-shelf tech specialists, cybersecurity employers should broaden the talent net by hiring for attributes, rather than qualifications, and investing more in training. Instead of recruiters searching for superman. The truth is that it may be necessary to build superman from scratch. There are many ways to attract new people into the industry, and the answer can be on your doorstep. Watts explained that he found someone in marketing who had an interest in cybersecurity, but no experience in the role. He offered her a brief secondment with his team and she quickly picked up the skills and brought a completely new perspective to the team.
The panel remarked that while traditional recruits to the industry can be risk-averse and afraid of chaos, an agile security team is one that is innovative, prepared to “fail forward” and “doesn’t ask for permission, but asks for forgiveness.”
In a world where cybersecurity transcends any one business department, an agile security team must also be one that can speak the language of every business unit, from the board to the marketing team. It must be a team as diverse as the business it operates in, and a team that has technical knowledge garnished with soft skills. As one panellist remarked “in an increasingly amorphous industry, we need an amorphous workforce.”