Agile practices are now being applied right across the business. But what does an Agile IT security team look like?
To safeguard the organization and its customers, Agile security teams need to demonstrate four attributes: flexibility, inclusiveness in recruitment, a desire to experiment, and an ability to engage with the business. At Infosecurity Europe 2017, industry-leading CISOs revealed how those can be achieved.1. Foster flexibility
An agile security team is one that isn’t tied to traditional role boundaries, according to Vicki Gavin, The Economist Group’s compliance director and head of business continuity & information security. Giving an example, she says: “Just because you were hired to be a security operations center (SOC) analyst, doesn’t mean you will always be a SOC analyst. You have to change what you do to support the business.” Gavin is a regular coach of upcoming employees and when someone shows an interest in a new area she often goes out of her way to help them expand their skillset.
This need to have a team made up of individuals with different strengths and weaknesses is the only way organizations can hope to meet the demands of the ever-changing threat landscape, argues Stuart Hirst, head of security at Skyscanner, the UK-based travel fare aggregator owned by China’s Ctrip. He argues that fresh thinking is helpful when addressing emerging threats: “In security, you don’t always have the answers. It’s OK to not know what you’re doing at first but you have to know where to get the answers from very quickly.”
By encouraging the breaking of boundaries between traditional roles and training that crosses disciplines, organizations can cultivate a security team with the potential to be as agile as the threats they will inevitably have to face. As Gavin says: “The job changes in a day; that’s why we need to hire agile people.”2. Make recruitment inclusive
By 2020, estimates market research analyst Frost & Sullivan, there will be 350,000 unfilled security jobs in Europe and 1.8 million worldwide. If organizations are to have any chance of filling that void they need to change their approach to recruitment.
The Economist Group’s Vicki Gavin accuses many organizations of recruiting “exclusively rather than inclusively.” She explains: “Typically, HR might put together a long list of qualifications and if candidates don’t match all of these, they are not considered.” Such a mindset not only contributes to the gender imbalance in the industry, as women are less likely to apply for a job if they feel they don’t completely match the skills required, says Gavin, but this also eliminates candidates from technology backgrounds that are not devoted to security. As a solution, she advises: “We must actually limit the skills we are looking for. Instead of a list of, say, 17 required skills we can prioritize the top ones. Often you have to develop the skills you’re looking for and remember that good people are innately capable of learning.”
Paul Watts, CISO at UK railway infrastructure operator Network Rail, agrees and offers an example from his organization. A marketing graduate who had recently joined the company approached him saying she had an interest in IT security but no experience. He took her on a six-month rotation with his team and found her soft skills in communications and relationship building have improved the connection his team has with the business. In turn, she found a way into a career that seemed beyond her reach.
The need to train on the job and look for different skills when recruiting is widely echoed. Mahbubul Islam, head of secure design at the UK Department of Work and Pensions (DWP), says: “When considering a candidate, you look for knowledge, experience and exposure. Instead of trying to find all three, hire a candidate with strengths in one of those and develop the other skills.”3. Encourage an experimental culture
Most business executives are inherently cautious of experimentation, with the sense that failure always costs money and reputation. However, a new breed of leaders is emerging that understands how digital models and technologies can be used in trial and error, with controlled risk. Skyscanner’s Stuart Hirst says experimentation is woven into his organization’s start-up culture — and that extends to his security team: “We fail fast by taking calculated risks. People work best when they are not scared of doing wrong, but it is a difficult ethos to embed in any organization. We have to look at new ways of working in the security industry.”
Paul Watts of Network Rail agrees that security teams must feel empowered if they are going to be effective. He wants his team to live by the adage: “Ask for forgiveness, not permission.”4. Ensure engagement with the business
The relationship IT security teams have with the rest of the business will determine success or failure. As Adrian Davis, managing director for EMEA at (ISC)², the security education and certification group, aptly says: “We can’t be agile without the business being agile. For it to work we have to go and educate people.”
This means changing the perception of IT. The DWP’s Mahbubul Islam puts the emphasis on educating colleagues that IT, and specifically IT security, isn’t the ‘department of “No.”’ He advised security professionals to “demonstrate how you’re supporting the business, show the positive side to security.”
Both Gavin and Watts put the emphasis on drawing the rest of the business into engagement with the security agenda, saying it must be understood that security it everyone’s responsibility. Hirst believes this will be made possible by security specialists understanding how to communicate well with the business. “Not everyone is technical. So you must be able to get the same security message across to different people, whether an engineer or an administrator in HR,” he says.
Educating the C-suite on the reality of security operations will also help to bridge the gap between the security team and the business, adds Gavin. She has been reporting directly to the board since 2009, and says: “I’ve been trying to communicate with my execs that, like every organization, we will be breached at some point. It’s not about avoiding that, it’s how well you are equipped to deal with it.” • Article based on a panel discussion at Infosecurity Europe 2017, www.infosecurityeurope.com.