Security Execs Say Next-Generation Security Teams Need More Than Tech Skills

A new report details advice from some of the world’s largest companies on building a next-generation information security firm.

The report was released today by EMC’s RSA security division and features advice from the Security for Business Innovation Council, a group composed of executives from Global 1000 enterprises, including JPMorgan Chase and Nokia. The report argues that information security teams must evolve to encompass skills not traditionally related to security such as business risk management, marketing and law.

“The information security mission is no longer just ‘implementing and operating security controls’, but has evolved to include advanced and business-centric activities such as: business risk analysis, asset valuation, IT supply chain integrity, cyber intelligence, security data analytics, data warehousing and process optimization,” the report notes. “There are many new skill sets required so a significant challenge in building an effective team is the shortage of professionals with the right skills.”

To help organizations get started on building the right team, the council offers seven pieces of advice:

• Redefine and Strengthen Core Competencies – Focus the core team on increasing proficiencies in four main areas: cyber risk intelligence and security data analytics; security data management; risk consultancy; and controls design and assurance.
• Delegate Routine Operations – Allocate repeatable, well-established security processes to IT, business units, and/or external service providers.
• Borrow or Rent Experts – For particular specializations, augment the core team with experts from within and outside of the organization.
• Lead Risk Owners in Risk Management – Partner with the business in managing cybersecurity risks and coordinate a consistent approach. Make it easy for the business and hold them accountable.
• Hire Process Optimization Specialists – Have people on the team with experience and certifications in quality, project or program management, process optimization, and service delivery.
• Build Key Relationships – Develop trust and influence with key players such as owners of the “crown jewels,” middle management, and outsourced service providers.
• Think Out-of-the-Box for Future Talent – Given the lack of readily available expertise, developing talent is the only true long-term solution for most organizations. Valuable backgrounds can include software development, business analysis, financial management, military intelligence, law, data privacy, data science, and complex statistical analysis.

“For this transformation to be successful security must be seen as a shared responsibility that requires active partnerships to manage the inherent risks to the business in the ever-evolving threat landscape,” said Art Coviello, executive chairman of RSA, in a statement. “It is imperative that organizations can develop a security team with the right expertise needed to get the job done.”

The full report can be read here.