Building a security team that looks more like society
A monocultural cyber team makes things easy for attackers - but how to attract and retain the right people?
"It's important to understand how people think," said Nick Ioannou, Information Security Officer at property-letting platform Goodlord. "Social engineering will bypass everything we do. Therefore, we need people who think differently."
Ioannou was speaking on a panel session at the recent Computing Cybersecurity Festival concerning the pressing need for diversity on the security team. If everyone looks and thinks the same, has the same qualifications and follows the same frameworks, the social engineer's job is so much easier; but how to attract the right people into your squad?
A good place to start is at the beginning, with the recruitment process, said Yota Trom, Leadership Coach and Founder of Together in Tech. "At all levels of seniority, men will apply if they only have 50% of the requirements, but women say to me,' but I haven't done this, I haven't done that'."
So women and other groups that are in a minority within cyber tend to underestimate their potential. In addition, job descriptions for security roles are often written with a certain type of candidate in mind, meaning that many talented people with the types of skills required in a modern team simply won't apply.
"What I have seen over and over again, is that the most successful candidates are not necessarily the ones that they are ticking all the boxes. It's more about the personality, the culture, the mindset, the willingness to learn and grow, and even though they might not take the boxes they can still be amazing," said Trom.
Another way to open up the security culture is to encourage successful security staff to go public about their experiences, she added.
"A lot of companies that do not realise that the best advertisement is their people. The best way you can get noticed by the talent is getting your people out there to talk about how amazing your company is, and how much everyone around them loves being part of your company."
It's important not to treat women or others who might be a minority in the security team as different in some way, said Danielle Sudai, Security Operations Lead at Deliveroo.
"I think as a manager you bring in the equal opportunities, and that means you ask them questions as professionals. For example, I would not want to be asked about my life, when I'm going to get married. That should be irrelevant in the recruitment process and later on too."
Qualifications are important, Sudai went on, but they are not a be-all-and-end-all.
"I don't see certification as a knowledge, it just shows that you have studied really hard to get it, it doesn't say you're an expert. Hands-on experience and practical knowledge are way more important. And that's something that I'm looking for when I'm recruiting, someone who's pushing to get involved in more things, even if they're not there yet. I want to create a career path for them, so they can grow and advance in my team."
Creating a career path, a strong and open culture, and regularly checking in to find out if employees are happy with the path they've embarked upon are all vital for retention, Sudai said.
If anything, retaining good cyber security staff has become even more difficult with the arrival of remote working.
Other retention tips suggested by the panellists were mentoring and giving staff a choice of training. Goodlord sets aside £1,000 per employee, said Iounnou. "They can choose how they spend it, so towards passing exams and other training materials."
In Trom's view, it's all about maintaining a positive culture. "What are your values? What do you stand for? And how as a company do you put your people at the centre of the agenda?"