4 Team-Building EssentialsTips from Senior Leaders on What It Takes to Build and Manage an Information Security Team
"What surprises me most is how little teams have evolved over the years," Anderson says. "For me, the focus was always people and their issues, and that hasn't changed. Because they are the ones who ultimately make or fail a team."
The 'people factor' is key to the success of building IT security teams at organizations. "An effective security team boils down to two critical factors: the security leader who understands his mission and knows what he's here to do, and his ability to find and manage the right people and skills to execute," says Teddy DeRivera, executive vice president at Wells Fargo Internet Services Group. "We need a good mix of detective and preventive roles and skill sets to be successful as a team."
Here are the main team-building strategies shared by senior security leaders:
1. Know What it takes to Head a Team:
Strategic Visioning: From Anderson's experience, many security leaders inherit a team and from day one get so caught up in the firefighting mode that that they fail to take a step back to understand such simple issues as: "What are we here to do? What skills do I need to execute? How can I allocate my resources effectively to get more done with what I have?" This lack of strategic visioning as a leader is most often the result for disorganized and ineffective teams, Anderson says.
Leaders need to have a plan of action for accomplishing set goals as the first initiative to be successful in team building. "They need to understand that implementing one small step at a time is pushing them toward their objectives," says Anderson.
Understanding the Business: Leaders need to invest time to understand:
- How is IT security supporting the business?
- What is the business trying to accomplish?
- Identify the risks to the organization;
- Know what to protect;
- Why to protect it?
"Without this business and risk approach, the leader is doomed from the beginning in his team building efforts," says Anderson.
Communicating Downward: At Digital Equipment, Anderson had a matrix organization where individuals had more than one manager, and he found himself constantly engaged in consensus building to execute a plan or set direction for security. He soon realized that to be successful as a team, he had to strike a balance in communication that flowed both upward and downward. He found that a leader's ability to communicate downward often takes a backseat with the only focus being at the executive level, thereby creating gaps in a team's effort.
Understanding Skill Set: A security leader needs to understand the breadth and depth of skills required for the team to perform well. The team has to be a mix of good technicians, high-end policy makers, risk managers and fraud experts. "Leaders need to hire people who think differently than them to be successful," he says.
Acting as a Mentor: A leader needs to act as a mentor to the team by clearly stating their job roles and responsibilities and criteria for good job performance, as well as rewarding and motivating them as needed. According to Anderson, an effective team leader needs to look at the changes and uncertainty and adapt to the organization's culture and constantly ask "Why are we doing this? What are my new role and responsibilities in this position? And how can I better work with my team to be successful?"
2. Take a Hands-on Role in the Hiring Process:
For an IT security team to be successful, leaders need to play a hands-on role in the hiring process, and clearly know what role and skill sets they are seeking. Besides the prior technical and security experience, Kenneth Newman risk manager and team leader of six IT security staff at Central Pacific Bank based in Hawaii, emphasizes communication and collaborative skills. "It is very common for security functions to be overloaded and somewhat stressed, leading to internal and external tensions," he says. "I look for individuals who, besides communicating effectively to IT and business groups, work effectively together and demonstrate good team work."
In his interview process, Newman tries to gauge an individual's prior experience working in a team, contributions made and how they resolved issues to meet deadlines. He pays close attention to how a candidate responds to:
- A situation where they disagreed with a co-worker;
- Approaches they use to deal with conflict at work;
- Do they crave for star status or individual achievement?
From their responses, he gets a fair idea about the candidate's personality in terms of their listening skills, ability to share information, proactivity and their interpretation and perception levels. He's also able to draw into personal traits like an individual's self-esteem, their personal goals, values and needs. "I want professionals who speak about 'we', not 'I', because in my experience there is never a single hero in IT security," Newman says.
Within IT security skills, he looks for strong data analytics capability and turns to folks, who understand IT risk, the risk profile and tolerance of the organization. He places a premium on aptitude of an individual to embrace new technologies.
A major challenge for a security team's success is the inability to find adequate resources within a certain time frame. Newman advises security leaders is to consider looking under their own noses for talent, and then provide reasonable training to get these internal resources up to speed, as well as make use of networking sites, LinkedIn groups, educational institutions and security associations to find qualified candidates.
3. Be a Motivator:
An important question for a team's success is: How to keep the team of IT security staff in the workplace motivated continuously? "Motivation is creating a state of mind that moves one to action," says DeRivera.
At Wells Fargo, DeRivera has a defined process for team engagement. He spends a reasonable amount of time understanding the need for each team member and what they require to engage in the team's activity for enhanced productivity. He has team engagement scores for each member that is statically analyzed based on their participation, activity and work productivity. These team engagement scores are a good motivator. "It helps in making employees realize the consequences of improving the productivity or, being negligent towards it," DeRivera says.
These scores play a significant role in an individual's job performance evaluation and toward obtaining internal promotions. They also are competitive and involve ranking between different departments and teams. In addition, DeRivera takes time to understand who his team members are. What are they saying? And how can he recognize their contribution toward the organization? "A sense of safety, security, recognition and belongingness can motivate the whole team to continue working with zeal," he says.
He invests in understanding his team member's innate strengths to strike a balance between skills and capabilities to keep their motivation levels high. He also provides frequent group lunches and time-off for members when needed. Constant communication with his team and their requirements helps him stay on top of issues.
"The key motivator is to find passionate folks who have the desire to learn and drive to keep the excitement going, "he says.
4. Provide Ongoing Training and Education:
Building an effective information security team is a continuing process, one that requires constant refreshing and education. "It's ultimately a matter of reputation," says Michael Jacobson, CEO of NebraskaLand National Bank and former chair of the Nebraska Bankers Association. "It's not just about putting a team in place; it is about IT security staff updating their security skills and taking appropriate actions to tackle the changing threat and technological landscape."
Certifications from professional associations play an important role in Jacobson's education strategy. He resorts to the CISSP (Certified Information Systems Security Professional) and the GIAC (Global Information Assurance Certification) for different skill sets.
He also looks at frequent workshops conducted by MIS Training Institute, The Institute of Internal Auditors and Security University. At the very outset, he puts aside funds from his budget on training initiatives for his employees and ensures they keep their skills in pace with what is required in the banking and security industry. He actively encourages team members to be visible and participate in events, conferences, online forums and groups initiated by the American Banker's Association, SANS Institute, ISC2, ISACA and others. Jacobson, who heads a team of 65 IT staff nationally, often finds it challenging to get professionals who both understand security and relate to issues plaguing the banking industry. Therefore, he invests in suitable training programs for his staff with different banking schools.
"Improve capabilities and skills of team members to create synergies and positive team dynamics," Jacobson says. "And learn to do more with what you have."