This is the third blog post as part of the series “How to Run an Information Security Function Effectively?” In my first post, I provided the mind map describing the thought process behind my conclusion that we can be much more successful and effective in running and managing an information security function simply by “Running Security Function as Our Own Consulting Business”.
In this post, I am going to explain the second box on that mind map, Talented Team.
In 1989, FIBA, international basketball’s governing body, allowed professional NBA players to participate in the Olympics for the first time. The team assembled by USA Basketball for the tournament in Barcelona in 1992, The Dream Team, was one of the most illustrious collections of talent assembled in the history of international sport. Of the twelve players on the team, ten were named in 1996 among the 50 Greatest Players in NBA History. The USA team was so much better than the competition that head coach Chuck Daly did not call a single time-out during the tournament. The closest of the eight matches was Team USA’s 117–85 victory in the gold medal game, a rematch against Croatia.
The results of 1992 Olympics basketball games were no surprise for anyone. By picking up the best possible team, USA guaranteed winning a gold medal. CISOs also need a talented team to be successful – to deliver excellent services to their organisation and run their information security function effectively.
Just like professional basketball game is a team sport, running a security function effectively is also a teamwork. In basketball team you have different positions on the court like point guard, shooting guard, small forward, power forward and center. You need players with different skills and strengths for different positions to be able to win a game. An effective security function also has different functions like security architecture, security solution design, security operations, policy and governance and security consulting. CISOs need individuals with different skills and strengths to be able to deliver best services to the organisation.
I am sure that just like me you must have also witnessed job descriptions that are 4-5 page long for advertising security positions in an organisation. Whenever I see such job descriptions I get a feeling that organisation is looking to hire a superman or superwoman because such job descriptions have excessive number of technical jargons, certifications, qualifications and skills listed down. Sometimes when you go for an interview and meet the hiring manager, you come out of the room feeling that interview was unstructured and all over the place. Is that going to excite a talented professional to join the organisation? Even if CISO manages to hire good talented individuals, he/she has to retain the top talent and keep them motivated. It can’t be simply done by paying good package and bonus. You have to invest in people at emotional, financial and personal level.
Let’s think about this a bit differently and imagine that the security function is not an internal function but an external service provider (a consulting business). Every position within your security organisation is a customer facing consulting position or a business development position serving your customers whom you are approaching to get business (security budget). What would be your strategy to hire, retain and manage professionals for these positions? I am sure that every security leader has his/her own way of doing this as I have my own approach for creating and managing a talented team. I am describing few key points hoping that other security leaders can also benefit from this:
- Job Description or Role Profile: Every hiring manager should think of the job description or role profile as a marketing tool to attract talented professionals. It’s really important to spend good quality time in describing roles and responsibilities for an open position, technical and business skills and qualifications required for an ideal candidate and also what this opportunity can offer to the suitable candidate. There are number of things that can go wrong if hiring manager do not describe what he/she is looking for in an ideal candidate, e.g. attracting wrong applicants, not able to attract talented candidates, hiring a wrong person, hiring someone with different expectations etc. Writing a good job description will not only help you attract right candidates for a role but also help you draw much more clarity around business outcomes and your expectations from this role.
- Recruitment Agencies: While it’s important to write a good job description, it’s equally important to spend quality time in briefing recruitment agencies tasked to find right candidates. If you think of it, recruitment agents are acting as your PR agents marketing this position to convince talented professionals to think about leaving their existing role and join your team and organisation. Hiring manager must spend good quality time explaining skills, experience, strengths and personal qualities that he/she is looking for in the right candidate.
- Hiring for Strengths: I am a firm believer that different security roles require different strengths and qualities for someone to be successful in that role. For example, someone working in security operations should be able to think quickly on their feet, have good analytical skills, have attention to details and can work under pressure etc. Number of employee satisfaction surveys reveal that significant percentage of people don’t love what they do. Which means essentially, they’re not motivated because they are in the wrong role that doesn’t allow them to play to their strengths. It’s very important to be clear about the core strengths of the person your are looking to hire and structure hiring process to look for those strengths and qualities.
- Effective Interviewing: Interviewing is not only about asking right questions and getting to know the candidate. It’s also a selling opportunity to sell this role to the prospective candidate. This is an opportunity for you to communicate what is required of this role. It’s beneficial for both sides to be clear about expectations. Once you have spent good quality time in defining a good job description, you will have a very good clarity on your expectations which will automatically improve interviewing process. But it’s really important for all interviewers to come across clear, consistent, concise, structured and professional in their conversations. So it’s important for hiring manager to brief all interviewers about the role, expectations and what he/she wants interviewer to cover as part of the interview. This helps in bringing best out of the interviewee and selling this position to them.
- Retaining & Managing Talented Employees: Once you manage to hire good talented individuals, it’s equally important to be able to retain them and keep them motivated. You must remember that talented people are always in demand and they also demanding. They want to be challenged in a stimulating environment to stay motivated. I have seen this numerous times that the company and hiring manager does not clearly communicate what is required of a new employee. Another problem is that managers do not know the strengths and weaknesses of new employees, which means the manager is not prepared to manage new employees as effectively and efficiently as possible. As a manager, it’s your responsibility to understand your employees, learn what makes them tick, provide them with an environment so that they can play to their strengths, excel in their current role and also prepare them for the next level in their career path . As I mentioned earlier, you can’t keep talented people motivated only by paying good package and bonus. You need to invest in your people at emotional, financial and personal level. It’s about effectively communicating and listening to your employees and building a trusted bond with them.
CISOs can be much more effective by approaching running their function as running their own consulting business and thinking of every position/person within their function as a customer facing consulting position or a business development position serving their paid customers to be able to get new or repeat business. This approach can help CISOs to hire , retain and manage the top talent for providing excellent security services to their business.
Stay tuned for the next blog post where I will explain “Target Customer Base” box on the mind map.