How to Build a Cyber Security Team with Staying Power

Data from the Bureau of Labor Statistics shows that information security professional employment is projected to grow 32% between 2018 and 2028, much faster than the average for all occupations. Those statistics mirror what we are seeing at NetSPI – a demand for information security professionals to create innovative solutions to prevent hackers from stealing critical company assets or intellectual property.

Twenty years ago, the role of a cyber security professional revolved around securing the perimeter. Today, cyber security has evolved and matured, along with the attack landscape. CISOs are responsible for many things, from preventing breaches and instilling ongoing security and vulnerability management programs, to internal/external leadership and even reporting to the board. Learning from the past as we plan for the future, I’m confident that the role of the cyber security team will continue to evolve, making it is imperative that organizations build and invest in a team with staying power.

Humbly speaking, with the tenure of many NetSPI team members at 10 years or more, we are fortunate to be able to offer our clients quality – and consistent – counsel because we have built a mindset around focusing on building teams with staying power. In this blog, I’ll share some insight into NetSPI’s commitment to team building in the hopes that it can provide guidance for your own workplace development (or even to serve as criteria for hiring your third-party testing team).

Hire for Experience, but also for Thirst of Knowledge

After hiring numerous professionals throughout the years, I’ve noted that there are a number of things, beyond experience, that can come together to make a person great in this profession. Someone who is a self-starter or is ambitious, oftentimes is a great team member. Further, an individual who works on projects outside of work or school demonstrates to me a passion for the profession.

Yet, two traits that are more difficult to recognize at first are the more unique soft skills: memory recall and curiosity. Individuals who have memory recall, who can understand patterns and relationships, usually gain an advantage when it comes to thinking like an attacker and recognizing familiar trends, while working as part of a client consulting team. And the highly curious person often has an innate drive to pick things apart, skills that are fundamental to success when the technology landscape becomes more complex by the day and emerging technologies continue to open new doors to hackers. Technology vulnerabilities are there – and a curious person is more apt to see find exposures so remediation can commence.

Make Training and Continuing Education Fundamental

Today’s college graduates in the technology or cyber security fields, or even those with just one to two years of experience, have a definite thirst for knowledge. Our organization has found that investing in feeding that knowledge has paid dividends and has manifested in our proprietary NetSPI University.

Each year, through NetSPI University, we take new cyber security talent through a six-month continuous improvement and training program that consists of internal and external educational courses, technical labs, shadowing programs, and cross training. Why do we make this investment? The reason is two-fold. First, it is part of our DNA and culture to continuously improve (truly, at all levels of the organization). Secondly, our ability to outpace attackers is due to our talent and our culture. Our clients respect that, and in some cases, seek out our counsel in putting in place their own training programs. In the long run, organizations benefit from investing in their teams.

Focus on Measures Outside of Just Technology Competencies

In Nabil Hannan’s inaugural edition of his Agent of Influence podcast (with the excellent title of “Cyber Security Education and the Ethics of Teaching Students to Break Things”), he states that “some of the most successful people who he’s seen in cyber security are usually very adaptable – they learn to adapt to different situations, different scenarios, different cultures, different environments.” He goes on to point out that this is critical as technology is always evolving, as are the security implications. I couldn’t agree more. In fact, I think it is a hiring measure – adaptability or agility outside of technical competencies – that is undervalued. I write about the importance of agility here.

What’s more, organizations that provide a framework for performance – meaning evaluation measures on quality, technical depth and outcome – help not only the team member, but the organization as well. But I argue that agility measures should also be part of the framework for performance so that team members can bring their own skills and perspectives to each and every engagement and incorporate their individual style. This not only benefits the employee and the client, but an organization can then apply that individual’s insights across the whole team to make the organization better and smarter. Additionally, organizations need to understand that a dynamic culture, one that puts in place the building blocks to enable people to enjoy working together pays dividend in terms of work product, retention, and recruitment.

In my opinion, cyber security professionals have the best job in the world. They get to ethically hack into some of the largest companies. With that comes responsibility. Because of the importance of the work that cyber security professionals do day in, day out, its critically important that organizations provide opportunities for these talented individuals to grow, stay on the cutting edge, and to lead. A commitment to building a team with staying power through a commitment to training and development of the next generation of security professionals is imperative as the profession continues to grow to meet the growing demands of the job.

Charles Horton