by Jeff Bardin of Treadstone 71
Most IT execs like to speak of methods on securing funding, implementation of the latest technology, or performing enterprise-wide risk assessments but this completely overlooks the impact that people can have on building such a high performing security program.
When security executives overlook team creation as a core component of a security program, they fail. A well-oiled machine is critical to creating an ever-expanding and improving information security posture.
So how should a CISO manage his or her team?
My experience tells me that I must hire people who are smarter than I am. That I must find, hone and develop a group of experts who understand the need for a unified approach. But the key to managing these individuals and building a successful team is to accurately identify the personality types of the team members.
One of the techniques used to success is Myers-Briggs testing. Testing your staff and/or prospective staff to determine personality types goes a long way in identifying the right mix of staff, and the placement of your people in the roles they are most likely to enjoy and drive success.
For example, you do not necessarily want an ISTJ (introvert, sensing, thinking, judgmental) personality type as the key driver for your strategy. That may be more aligned to an E/INTP/J. The ISTJ in most cases is very comfortable executing a plan and getting into the tactical details.
My belief and proven experience indicates that it is much more effective to accentuate the positive aspects of an individual’s skills and personality then it is to try to improve the functions they do not care to do. It takes a great deal more time, effort and expense to improve deficiencies then it does to continue improving the positive aspects and perfections of your team members.
Jared Pfost, of Third Defense, has a different approach and formula that he recommends:
- Empower and support people to execute.
- Help those who do not find other opportunities.
- Buy-in, skills, desire, and diversity trump personality types and demographics.
- Establishing a strategy that contains what you do (mission), where you are (maturity assessment), where you are going (vision), and how to get there (execution strategy/roadmap).
- Service catalogue to clarify objectives and scope for team members.
- Role definitions -- using the RACI method (responsible, accountable, consulted and informed) -- for key processes such as assessment, response, compliance, operations, architecture, treatment decisions.
- Measurements to track actual vs. target ‘team’ performance (metrics).
- Recognition: reward improvement and incentivize internal promotion.
- Execution: accountability for on scope/time/budget.
Jared blends skills with strong leadership and structure as a method to building strong teams.
CMMi for people
CISOs should treat their staff based upon their emotional and skills maturity level. Treating each person the same on your team is fine for HR-type policies and procedures, but when it comes to getting the job done, situation leadership is the only way to go.
CISOs should base their leadership methods and style based upon the emotional and educational needs of the team member and on the tasks given to each team member. There are four management styles that are individually used or blended depending upon the tasks and team members involved (moving up the maturity chain):
Knowing how to use these management styles effectively is the key to building a strong security team. It is important to identify your team members’ personality types and apply the right blend of leadership in order to maximize their contributions, and to create a high-performing program.
Jeff Bardin is the chief intelligence officer at Treadstone 71. Jeff sits on the board of directors of Boston Infragard; was a founding member of the Cloud Security Alliance; is a member of the Cyber Security Forum Initiative and the RSA Conference Submission Selection Committee. Jeff published “The Illusion of Due Diligence” in 2010 and was a co-author for the “Computer and Information Security Handbook” and “Understanding Computers,” and has published articles in several industry magazines.
Jeff served in the USAF as a cryptologic linguist (overseas and at the NSA), the USANG as an officer. He has BA in special studies - Middle East studies & Arabic language from Trinity College as well as a MS in information assurance from Norwich University. He is also a professor of masters programs in cyber intelligence/counter-intelligence at Utica College and information security at Clark University. Jeff also holds the CISSP, CISM and NSA-IAM certifications.