Why Your People Are the Best Untapped Security Strategy

To elevate your security strategy, hire skilled security talent while establishing a security-centric culture among employees.

Jason Lee, Vice President & Chief Information Security Officer, Splunk

July 29, 2021

4 Min Read
Two people working on cybersecurity
Gorodenkoff via Adobe Stock

People create paradigms. In every industry and job function, employees are one of the most important success factors, as they operationalize any strategy established by leadership. The security industry is no exception.

It stands to reason, then, that one of the most important elements of any organization's cybersecurity program is its people. To elevate one's security strategy, leaders must take a two-pronged approach to building their workforce: hire skilled security talent, while establishing a security-centric culture among employees.

Let's discuss how that's done, including how to find and retain talent in a changing recruitment landscape, and what it takes to instill training as a foundational piece of company culture.

An Evolving Recruitment Landscape
Cybersecurity roles require a unique set of skills, which can be challenging when it comes to recruitment. Faced with a persistent skills shortage, our industry is grappling with a small talent pool all the while working to address today's advanced threats. To find the right talent — let alone sustain it — organizations must broaden their existing perspective on recruitment.

I recommend thinking beyond the usual computer science programs and majors and consider connecting with those with a strong interest in cybersecurity. English, philosophy, and business majors can do very well in this field. Those in creative pursuits can bring a new perspective and critical thinking skills to your team. Being a strong collaborator and communicator is essential because security spans every part of an organization. For example, I made it a priority to build relationships with our engineering team, joining their team meetings. I’ve often found that somebody who can build these relationships is far more valuable than someone who has a long list of certifications.

By keeping an open mind, you'll form a diverse team of problem solvers. As you search, look for "multipliers" — which is a term I use for people who help everyone else get even better. These are employees who not only deliver value within their own work, but also improve the output of those around them.

But it's one thing to identify talent, and another to attract it. Leaders need to understand what motivates workers these days, which is more nuanced than ever before. The workforce has evolved dramatically, so it's only natural that the recruitment process needs to adapt as well.

With millennials and Generation Z making up more than half of the workforce in 2020, according to research by ManpowerGroup, organizations should speak to what these groups inherently look for in a work environment. Millennial and Gen Z employees appreciate flexibility, mobility, culture, and a sense of purpose — position these value propositions at the forefront of your recruitment strategy to attract top talent and avoid churn.

Training As a Pillar of Company Culture
A security-centric culture isn't built overnight. It requires consistent and meaningful training and education that help employees understand the role they play in the security posture of an organization.

The IBM 2021 X-Force Threat Intelligence Index reports 95% of cybersecurity breaches are due to human error. Training employees isn't just important, it's essential for a business's survival.

To combat today's complex threats, training has to go beyond the basics. Annual security training needs to be complemented by regular security awareness communications and ongoing employee education.

IT leaders need to also tailor their programming to the unique needs of the hybrid workforce — building in situational training that prepares employees for any unique threats they'll face during this new phase of work. This education should cover scenarios that will be prevalent in this flexible landscape, speaking to the potential risks that come with using personal devices, public Wi-Fi networks, and more.

At my company, we conduct annual security training with our employees, and have broadened our efforts to encompass situational training as well. We've introduced monthly phishing simulations for employees along with follow-up education, so they may practice identifying and reporting suspicious emails in a safe environment.

Training should also expand to a company's developer teams, which can undergo continuous learning via secure code training. Through capture-the-flag competitions and other gamification techniques, this type of training helps upskill existing talent and makes security integral to any innovation the team creates.

By instilling security in employees' day-to-day routines, all parties feel invested in the protection of an organization. Security becomes second nature.

The Power of Human Potential
By harnessing the power of human potential, leaders can instill security into the fabric of their organization — an investment that will pay dividends. With talent and training acting as the foundation for your strategy, you can create a security program designed for the future. A security-centric culture will become your new paradigm, thanks to your people.

About the Author(s)

Jason Lee

Vice President & Chief Information Security Officer, Splunk

Jason Lee is Vice President and Chief Information Security Officer at Splunk. A highly respected technology executive with 20 years of experience in information security and operating mission-critical services, Jason led security for large enterprises prior to joining Splunk including Zoom and Salesforce, where he led the delivery of critical end-to-end security operations including company-wide network and system security, incident response, threat intel, data protection, vulnerability management, intrusion detection, identity and access management and the offensive security team. Before that, he spent 15 years at Microsoft and held various senior leadership roles, including Principal Director of Security Engineering for the Windows and Devices division, as well as Senior Director of Developer Services. As Senior Director of Developer Services, he oversaw the design and management of the mission-critical PKI for all products across the company. Lee holds a B.A. from Washington State University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights