Tips for Growing and Retaining Your Security Team


Posted on by Ian Amit

Security Team Specialization vs. Career Advancement

Information security roles tend to be specific in larger security groups because they require specialization in fields such as forensics, incident response, data engineering, application security, penetration testing, governance, risk management and compliance, and more. Businesses are faced with the challenge of how to balance that specialization with enabling security staffers to explore broader career paths and advancement. This challenge compounds itself when considering the shortage of skilled workers and the need to attract new talent while retaining existing team members.

Every company in every industry is currently experiencing a shortage in talent, as well as a growing need for specialization and to offer attractive career opportunities and growth to their employees—all of which may end up creating conflicting incentives.

In addition, educational systems (both academic and professional) have been creating narrower and more specialized learning paths. That may help with addressing specific skill requirements, but, in the long term, it leaves professionals with gaps in broader information security skill sets and hinders their ability to transition from one area to another.

Best Practices for Fostering a Strong Team

The best practices listed here are designed to provide security leaders with a way to continuously build their teams from the inside, while attracting talent from the outside. They prioritize having clear metrics on employee performance and charting a practical career path:

  • Foster a culture of continuous learning: Encourage employees to stay updated with the latest trends, technologies and best practices in information security. This can be done by providing access to training courses and conferences. Budget for such activities must be carved out, and an internal briefing mechanism should be created so when employees attend events, they can share their experiences and learning with their peers. This further enhances the learning experience and continuously fosters internal education and communications.
  • Develop a career path: Create a career development program that outlines the different levels of expertise on the team and the skills required to move up the ladder. This provides employees with a clear understanding of what they need to do to progress in their career. Each job description should include leveling that allows employees and managers to set clear expectations and foster open communication, especially around performance reviews. This effort should also be coupled with the creation of a skills matrix that outlines the skills required for different roles within the organization.
  • Provide opportunities for skill-building: Identify areas where employees can improve their skills and provide opportunities for them to do so. For example, they could be given the opportunity to work on a new project, take on a leadership role or mentor others. Mentoring is a key element in mature programs, because both mentors and mentees are rewarded for their activities and continuously hone their skills.
  • Recognize and reward achievement: This could be through promotions, bonuses or public recognition. A clear performance review program should be created to accompany this, and the appropriate budgeting should be allocated to account for such accomplishments and promotions.
  • Offer certification programs: Certification programs relevant to information security provide employees with a recognized qualification and demonstrate their expertise to clients and colleagues.
  • Offer cross-training opportunities: This helps employees understand the workings of other departments and develop new skills. One shortcoming of modern information security education/training is its highly specialized approach. By providing cross-training, organizations expand the breadth of knowledge and opportunities for employees to develop their careers, while setting them up for success in their future career as they get into leadership roles.
  • Implement a job rotation program: Working in a different department for a set period helps employees gain exposure to different functions and roles and understand how they fit into the organization as a whole.

Using these best practices, any organization can create a team of skilled and knowledgeable information security professionals committed to continuous learning and professional development.

Make sure there are clear expectations for the learning opportunities and the context in which employees will operate. This ensures employees have the right tasks and objectives and prevents them from becoming a catch-all for other teams’ random tasks.

 

Contributors
Ian Amit

IANS Faculty Member, Co-founder & CEO,, Gomboc.ai

Professional Development & Personnel Management

professional certification professional development professional development & workforce security education security jobs

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs