Security Experts:

Making the Most of a Changing Workforce Environment

The Greek philosopher Heraclitus is quoted as having said, “change is the only constant in life.”  While I’m not sure that I agree with this statement completely, it is an interesting one. The quote provoked me to think about how it might apply to the security profession. After some thinking, I do believe that we can learn some interesting security lessons from Heraclitus. Change may not always be on the docket. But when it is, how can we embrace it, understand it, and work to create a constructive environment around it?

New employees: Good security talent is quite difficult to find. Recruiting and hiring the right employee brings with it a rush of excitement and joy. How can we create the right environment that ensures a smooth onboarding for our new hires? While not an exhaustive list, here are a few ideas:

● Processes and procedures: Good onboarding policies and procedures go a long way toward maximizing the value a new employee can bring and minimizing the time it takes that employee to begin providing that value

● Documentation: There are few things more overwhelming at a new job than finding yourself in the midst of disorganization and chaos. Properly documenting the different aspects of each role within the security team can help a new employee ease into his or her role while shortening or eliminating the initial period of overwhelm.

● Talented and supportive peer group: Having made good hiring decisions historically is another great way to provide a new employee a warm welcome. If a new hire is surrounded by skilled and helpful colleagues, they tend to ask questions and seek guidance that will shorten the learning curve and help them become productive team members quickly.

● Technology: It takes more than just technology, in and of itself, to help a new employee get up to speed. That being said, ensuring that a new hire has the tooling necessary to come up to speed can help that employee tremendously as they put down roots.

Employees transitioning roles: When an employee transitions roles, either within the team or to another team entirely, there are two sides to the coin. The team or role gaining the employee needs to set up a welcoming environment that looks not all that different from that which a new employee should encounter. For the team or role losing the resource, however, there are a number of points that need to be considered as well:

● Documentation: In an ideal world, employees would continually ensure that their work functions are properly documented. This is seldom the case in most organizations, unfortunately.  While it is always a good time to push employees to document their work functions, the time when an employee is transitioning to another role is a particularly good time.

● Technology: If you think about it, one of the primary functions of technology is to support, facilitate, and introduce efficiencies into processes by allowing specific, repetitive, manual steps to be automated. While technology is no replacement for a top performer that is moving on, it can aid in smoothing the transition. If process is well-defined and well-understood, technology that can be used to automate specific steps should be in place long before an employee ever thinks to transition to a different role.

● Warm lines of communication: Except in rare cases, it’s helpful to maintain good terms with a transitioning employee. In addition to both sides benefiting from keeping in touch and up to date, it can be a great way to ensure that there will also be a place to ask those questions you’ll likely have for a recently transitioned employee.

Departing employees: As the saying goes, when an employee departs, “knowledge walks out the door.” When an employee leaves, it is much more of a challenge to access them as a resource in the event a question arises - much more so than when they simply transition to a new team or role. This makes documentation and technology even more important than they are when an employee merely transitions.

Mergers and acquisitions: We’re used to employees joining, transferring, and departing, but what happens when a merger or an acquisition brings multiple environments and multiple teams together? While this is certainly a challenge, it can also be an opportunity. Here are a few ways in which you can make the most of it:

● Identify gaps: It’s not easy to understand where we have gaps in an organization we know well, let alone those that exist in two or more organizations that are coming together.  Nonetheless, it’s an extremely important task that is essential in the effort to build a sound merger strategy for the security program.

● Limit risk: Once gaps have been identified, risk needs to be understood.  Whether risk is introduced by gaps or through other means, the combined security program needs to have a firm handle on that risk.  Only then can it be prioritized and managed appropriately.

● Don’t go at it alone: Top team members from each side of the new organization have a wealth of institutional knowledge that can help the whole integration process go much more smoothly.  Know how trusted colleagues from the old environment can best fit into the new environment. Take the time to understand each unfamiliar team member’s role, knowledge, expertise, value, and potential.  It will help you understand and assess who can best help you to combine security programs optimally and to run the combine security program thereafter.

● Protect the new environment: Once gaps are identified, risk has been prioritized, and the right people are in place, the work of protecting the new environment begins. The security program should seek to continually limit risk while maximizing the ability of the new business environment to function securely. Not an easy task by any means, but one that is made easier by having made the most of a changing environment.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.