In some companies, Information Security and Risk consists of a large team of hundreds of professionals handling security and compliance risks across many countries. In others, Information Security is one of the many responsibilities of an IT Manager who handles everything from IT management, staffing and Project Implementation. Either way, Information Security is a critical facet of the modern enterprise that is riven with uncertainty and a growing list of possible threats. Building a solid information security team (own or outsourced) is critical.
I see everywhere, that people are facing a serious challenge with information security team. In my opinion, its not they don’t know how to get the right candidates, its that they don’t know what to look for in candidates when they are building their information security teams. According to the legendary author and eternal student of business, Jim Collins, its more important to get the right people on the bus and get these people to the right seats, rather than focus on what these people need to do. Good people, in the right mix tend to produce good – great results given the right environment.
Several CIOs and CISOs ask me that single question “What kind of people do I need managing our Information Security Team?” Well, thats what I am about to address. I believe that these 3 types of people are key to making any information security team, super-successful.
The Tinkerer
The Tinkerer is my favourite character in any good Information Security Team. The Tinkerer essentially wrestles with Technical security issues. She sets up that SIEM product all on her own and starts monitoring events inside the network. She’s able to cull through complex application or system logs and identifies the root cause of a security incident. She’s able to script up a quick tool in Python/Ruby while performing an internal penetration test. She’s what we would all call, a Geek. The Tinkerer is one who possesses a wide and deep array of technical skills that she uses in information security. The Tinkerer is hungry for technology. She has passionate conversations with the technology teams and seems to have that unlimited energy and drive in “getting his/her hands dirty” with technology implementation. The Tinkerer is an invaluable asset to any Information
Security Team because they possesses the technical skills to cut through the crap and dig deep into any technical/technology oriented solution. I have observed that Tinkerers are great with Unix command line, probably have some scripting skills and have implemented just about any open source product you can think of.
The reasons why Tinkerers are so important:
• They do not just “listen to” vendors. They actively engage and get to the bottom of the vendor’s technology. They provide solutions often, when vendors can’t.
• They save you a ton of money. Don’t have the budget for that File Integrity Monitoring solution? Not to worry, the Tinkerer will scour through the Internet and would probably implement an open source solution with the same effect.
• Their passion would drive technology security. The Tinkerer is able to engage with ease with external penetration testers, internal penetration testers, network security personnel and application personnel. The Tinkerer is able to speak all of these diverse dialects with ease and ensure that security (atleast technically) is a top priority.
The Processifier
The Processifier is a unique, unglamorous but highly important role in Information Security Management. Every strong Information Security team must rely on process, procedures and practices to succeed. This is where the Processifier comes in. The Processifier’s basic job is to streamline Information Security Processes at the company. She ensures that there is a strong process for most information security practices. She creates a strong risk management framework that defines the company’s information security growth year-on-year. She basically ensures that the bedrock of a strong information security practice is in place for the company to implement even when she’s not around. The Processifier is usually the sounding board for sane advice on any security-related practice. She keeps the other information security personnel in check by ensuring quality of standards and processes.
The reasons why Processifiers are so important:
• They create the foundation for a strong Information Security Practice. They create the practices, processes and documentation for the Information Security Practice, which is extremely important from a long-term perspective.
• The Processifiers provide the quality and consistency parameters for the Information Security Team to conduct its activities all through the year.
• The Processifier also handles initiatives like Security Awareness and Training that
is non-negotiable for a Security conscious company.
The Prophet
The Prophet is a unique role between business and information security. The Prophet is an Information Security Professional with a keen eye on the business. While the Processifier creates a risk management framework and the Tinkerer is technically adept, The Prophet’s job is to ensure that all of this applies and makes sense to the business. Business Risk is the Prophet’s business. She is the ultimate mediator between management and security scuffles. She advises the information security team on changing business risks and perceptions. She has the right connections to the right stakeholders inside and outside the business to provide Information Security with a unique perspective. She ensures that Information Security delivers immense business value and makes it
known. The Prophet is like the ultimate fixer for businesses and information security
teams because she can speak both tongues equally well.
The reasons why Prophets are so important:
• Popular perception is “Management is always at odds with Information Security”. With the prophet, management and information security are partners.
• Sometimes, Information Security tends to get lost in controls and technology. The Prophet is the essential element that points them in the most important direction of business risk.
• Prophets ensure that Management and Information Security meet in the middle. They are the diplomats of the security world, constantly ensure that the tug of war between these two diverse areas does not cause the rope in the middle to tear or break.
Conclusion
These people (listed above) do not always have to be different people. As a single IT Manager, you might have to wear all these hats. However, having the right mix of the Tinkerers, Prophets and Processifiers, your Information Security should be in great shape.