Building top-notch information security teams

High-performing security teams look very different today than they did a decade ago, but too many agencies have paid insufficient attention to attracting and developing the right talent.

The increased importance and complexity of securing the government's data have resulted in a steady expansion of the influence and scope of the information security function. In reaction, most federal information security leaders have changed their focus from security operations to risk reduction.

The most progressive of them, however, no longer try to eliminate information risk. Instead, they adopt a position on risk management that is characterized by three behaviors: identifying and communicating risk in business terms, presenting risk owners with useful risk trade-offs and supporting risk decisions by those who own the risk.

Unfortunately, most information security teams do not have the skill sets to manage risk in those ways. CEB research has found that 78 percent of chief information security officers believe security customers do not view information security teams as trusted partners in making key business decisions. And nearly two-thirds believe security customers do not find their teams easy to work with.

Furthermore, nearly two-thirds of CISOs said the time they spend on talent management activities has increased in the past three years, with 20 percent of the CISO's time -- or one day per week -- now spent on talent management activities such as coaching and development, performance management and talent planning.

But despite significant investment, CISOs' concerns continue to grow in the face of three main challenges:

  1. Sourcing challenge. It's difficult to find individuals with a balance of IT and engagement skills. Once leaders find good employees, it's hard to keep them. Our research shows that 37 percent of high-performing information security professionals intend to look for a new job within a year.
  2. Structural challenge. The typical information security team has grown in size and complexity, so managing talent in an impromptu manner is no longer sustainable. Rapid growth in new activities -- such as business interfacing, risk assessment and advanced threat defense -- requires new skills.
  3. Performance challenge. According to our benchmarking, one-third of current employees do not meet performance expectations. Security professionals in business-facing roles do not have the needed "soft" skills, and those in technical roles do not have the latest technical expertise.

As progressive information security teams take up the mantle of true risk management, they look for employees who have the ability to constructively engage with business partners. Given how difficult it is to find those individuals, leaders must take a multipronged approach to developing their teams:

  1. Adopt a competency-based approach to talent management. Competencies are more predictive of employee performance than criteria such as experience and certifications. Leaders should define competencies for their teams and use them to drive hiring, development and planning decisions.
  2. Build and promote an effective employment value proposition to attract top security talent. Emphasizing the attributes that matter most during recruitment efforts allows leaders to penetrate deeper within the labor market and attract top talent.
  3. Involve customers across the talent life cycle. With 85 percent of security employees interacting with customers at least weekly, hiring managers must consider the customer perspective when making talent decisions.
  4. Invest more time in strategic talent management activities. Focusing on strategic talent activities has 2.25 times as much impact on outcomes as managing day-to-day talent tasks. Prioritize activities such as creating a strategic workforce plan to build a sustainable team for the future.

If federal leaders are to evaluate and respond effectively to information security challenges and threats, they need to build, develop and retain a different kind of information security team.

NEXT STORY: Can DHS get it together?