How to create a better working environment for security professionals.

Carric Dooley, WW VP of Foundstone Services, Intel Security

January 20, 2015

3 Min Read

January is a good time to get strategic and think about the bigger picture. The glut of security breaches in 2014 has increased the pressure to hire and retain cybersecurity experts, in a market that was already experiencing an acute shortage. Ranging from 50,000 to 500,000 or more depending on whom you ask, the gap between supply and demand is large and growing.

At the same time, I still hear from many clients who perceive security as an annoyance and a sunk cost, not a proactive and positive force for their company. This opinion varies by role – our research shows CISOs and senior IT managers are less prone to this mindset than the teams with more operational roles.

Greenberg Survey sponsored by Intel Security, November 2014, N=700.

Perception is important because it translates into attitude to the team, communicated in body language, nicknames, and reluctance to comply with rules. Security staff may play along and participate in the jokes, but internally being treated this way in your job is slowly soul-destroying.

When asked about what keeps them enthusiastic about their jobs, security professionals will often mention meaningful and challenging work, opportunities for professional development, and a belief that their skills are being put to good use. When asked about the challenges in their jobs, top of mind are lack of understanding from senior management and lack of adequate investment.

Here are three ideas for creating a better work environment for your security team:

1) Reaffirm that the threat is real. People are trying to get into your network to steal your data. This is not meant to be a scare tactic, but an awareness campaign. Show the company why your security team matters and that it’s not just a necessary evil. Talk about public breaches or internal incidents. Demo how to hack an online account. How did it happen and what can you do about it? Communicate that your team does more than make security rules, they are also the people who work long hours in the event of a breach.

2) Make it personal. What aspects of the job does your staff dislike? Try to reduce or eliminate those tasks through automation, education, or managing up. Then give them challenging tasks and more of what they like doing. Use words that indicate support and positive reinforcement. Make each member feel respected and rewarded, that they are making a difference, and are an important part of the Security Battleground.

3) Have fun. Send them to conferences and give them time to learn new things and participate in local security events and hackerspaces. Invite consultants or experts that have experienced a breach to share war stories. Interacting with smart, like-minded people in similar situations helps to build team spirit and a sense of value beyond the cubicle.

Banks do not view vaults, cameras, or safety deposit boxes as an annoyance, but as an important part of minimizing their risks. Customers would not deal with a bank that reduced expenses by keeping cash in cardboard boxes in a back room with only a simple door lock for security. Your enterprise information security should not be viewed as an impediment to the business, but as a critical part of making the Internet a valuable and secure business tool.

About the Author(s)

Carric Dooley

WW VP of Foundstone Services, Intel Security

Carric Dooley has extensive experience leading comprehensive security assessments as well as network and application penetration tests in a wide range of industries across North America, Europe, and Asia. As the Worldwide VP of Foundstone Services at McAfee, part of Intel Security, he works with companies around the world in various industries, including financial services, insurance, healthcare, software, manufacturing, retail, pharmaceuticals, government, food services, and entertainment.

Carric has performed information security assessments, security architecture reviews, wireless assessments, web application penetration tests, host configuration reviews, product reviews, risk assessments, and policy development projects. He has also led several enterprise risk assessments following Foundstone's methodology based on NIST 800-30, helping clients in the financial services, government, and software industries to develop effective risk management strategies. In 2005, Dooley also helped establish Foundstone's methodology for assessment and penetration testing.

Prior to McAfee, he worked at Microsoft on the ACE team, and at Internet Security Systems (ISS) as a senior consulting delivering assessment services.

Carric holds a bachelor's degree in business administration from Georgia Southern University, with a focus on international economics and a minor in French.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights