Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Making the Most of a Changing Workforce Environment

The Greek philosopher Heraclitus is quoted as having said, “change is the only constant in life.”  While I’m not sure that I agree with this statement completely, it is an interesting one. The quote provoked me to think about how it might apply to the security profession. After some thinking, I do believe that we can learn some interesting security lessons from Heraclitus. Change may not always be on the docket.

The Greek philosopher Heraclitus is quoted as having said, “change is the only constant in life.”  While I’m not sure that I agree with this statement completely, it is an interesting one. The quote provoked me to think about how it might apply to the security profession. After some thinking, I do believe that we can learn some interesting security lessons from Heraclitus. Change may not always be on the docket. But when it is, how can we embrace it, understand it, and work to create a constructive environment around it?

New employees: Good security talent is quite difficult to find. Recruiting and hiring the right employee brings with it a rush of excitement and joy. How can we create the right environment that ensures a smooth onboarding for our new hires? While not an exhaustive list, here are a few ideas:

● Processes and procedures: Good onboarding policies and procedures go a long way toward maximizing the value a new employee can bring and minimizing the time it takes that employee to begin providing that value

● Documentation: There are few things more overwhelming at a new job than finding yourself in the midst of disorganization and chaos. Properly documenting the different aspects of each role within the security team can help a new employee ease into his or her role while shortening or eliminating the initial period of overwhelm.

● Talented and supportive peer group: Having made good hiring decisions historically is another great way to provide a new employee a warm welcome. If a new hire is surrounded by skilled and helpful colleagues, they tend to ask questions and seek guidance that will shorten the learning curve and help them become productive team members quickly.

● Technology: It takes more than just technology, in and of itself, to help a new employee get up to speed. That being said, ensuring that a new hire has the tooling necessary to come up to speed can help that employee tremendously as they put down roots.

Employees transitioning roles: When an employee transitions roles, either within the team or to another team entirely, there are two sides to the coin. The team or role gaining the employee needs to set up a welcoming environment that looks not all that different from that which a new employee should encounter. For the team or role losing the resource, however, there are a number of points that need to be considered as well:

● Documentation: In an ideal world, employees would continually ensure that their work functions are properly documented. This is seldom the case in most organizations, unfortunately.  While it is always a good time to push employees to document their work functions, the time when an employee is transitioning to another role is a particularly good time.

Advertisement. Scroll to continue reading.

● Technology: If you think about it, one of the primary functions of technology is to support, facilitate, and introduce efficiencies into processes by allowing specific, repetitive, manual steps to be automated. While technology is no replacement for a top performer that is moving on, it can aid in smoothing the transition. If process is well-defined and well-understood, technology that can be used to automate specific steps should be in place long before an employee ever thinks to transition to a different role.

● Warm lines of communication: Except in rare cases, it’s helpful to maintain good terms with a transitioning employee. In addition to both sides benefiting from keeping in touch and up to date, it can be a great way to ensure that there will also be a place to ask those questions you’ll likely have for a recently transitioned employee.

Departing employees: As the saying goes, when an employee departs, “knowledge walks out the door.” When an employee leaves, it is much more of a challenge to access them as a resource in the event a question arises – much more so than when they simply transition to a new team or role. This makes documentation and technology even more important than they are when an employee merely transitions.

Mergers and acquisitions: We’re used to employees joining, transferring, and departing, but what happens when a merger or an acquisition brings multiple environments and multiple teams together? While this is certainly a challenge, it can also be an opportunity. Here are a few ways in which you can make the most of it:

● Identify gaps: It’s not easy to understand where we have gaps in an organization we know well, let alone those that exist in two or more organizations that are coming together.  Nonetheless, it’s an extremely important task that is essential in the effort to build a sound merger strategy for the security program.

● Limit risk: Once gaps have been identified, risk needs to be understood.  Whether risk is introduced by gaps or through other means, the combined security program needs to have a firm handle on that risk.  Only then can it be prioritized and managed appropriately.

● Don’t go at it alone: Top team members from each side of the new organization have a wealth of institutional knowledge that can help the whole integration process go much more smoothly.  Know how trusted colleagues from the old environment can best fit into the new environment. Take the time to understand each unfamiliar team member’s role, knowledge, expertise, value, and potential.  It will help you understand and assess who can best help you to combine security programs optimally and to run the combine security program thereafter.

● Protect the new environment: Once gaps are identified, risk has been prioritized, and the right people are in place, the work of protecting the new environment begins. The security program should seek to continually limit risk while maximizing the ability of the new business environment to function securely. Not an easy task by any means, but one that is made easier by having made the most of a changing environment.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Training & Awareness

Google has announced a new training program for cybersecurity analysts and those who graduate will get a professional certificate from Google.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...