The Business of Security6 Tips to Improve the Staff's Business Skills
This is a skills gap that must be bridged, security and staffing leaders say.
"It is the non-IT skills that will distinguish the most sought-after IT security people going forward," says John Reed, executive director of Robert Half Technology. "Companies are increasingly looking for individuals who have a business mindset and can make the connections among security, IT risk and business."
Interpersonal and communication skills, in addition to strategic thinking and project management, are key areas that companies emphasize when hiring security professionals.
The Value of the Business Mindset
The payoff to the organization and the team is huge when security professionals focus on the business dimension in their role, says Chris Buse, chief information security officer for the State of Minnesota. "Security becomes effective when practitioners evaluate ways to increase value to the organization and integrate security needs with the business goals and objectives," he says. "This goes far beyond simply safeguarding the assets they are charged with protecting."
For example, if a risk manager is looking at the continuity of operations planning, he or she needs to understand how budgets within the government work to estimate how much it will cost towards disaster relief efforts if critical systems will get affected, says Buse.
"Unless security professionals have a broader management perspective, it's very hard for them to get ahead," says Buse. "If they do not understand the world of business and management, they will often get bypassed for promotions."
John South, chief information security officer at Heartland Payment Systems, agrees with Buse. "Ultimately, the professionals are defined by the security they provide to the organization. Thus, a firm understanding of the integrated business threats and risks is vital to effectively perform their roles."
South cites an example: An application that is written to accept payments over the internet will have a direct impact on Payment Card Industry Data Security Standard, as well as the security architecture and the delivery and support of services offered by the company. In this case, the application developer will need to know the regulations governing the industry, legal implications of non-compliance and how security should be built into the application to ease the delivery process. What support will the application require from business functions to run smoothly? Which business units will be impacted by the release of this application?
"Without the business understanding, we will keep going in circles to resolve an issue," says South.
The significance of business learning and awareness ultimately lies in the hands of security leaders, who need to step up and make their team understand what businesses need and how they can help to maximize the value.
Tone at the Top
For Buse, on the job business education begins when, as a leader of a team of 26 IT security staff members, he hires the right people in his team and knows how to structure training based on the roles they play.
"I have people from IDS/IPS to policy makers and risk managers in my team," he says. "As a leader, I have to differentiate what broad understanding of business knowledge is required by each player on the job."
The operational level professionals who configure the firewalls and networks are more driven toward accomplishing a specific task and need just enough business training to understand why they are doing, what they are doing and how is this important to the government in securing their IT infrastructure, says Buse. "Their knowledge of business is sufficient on the service development and management level."
On the other hand, senior players in a team, i.e. the policy developers, security architects, risk managers who guide the strategic and critical initiatives, need a much more focused understanding of business and how their involvement impacts the organization. "My energies are directed toward getting these individuals acclimated with business leaders in letting them know how the government functions, how state budgets are managed and what we need from them to help us be secure," says Buse.
On the Job Training: 6 TipsSecurity leaders suggest these tips for improving your staff's business acumen:
- Hire Risk Managers: to understand how to merge the strategic business and security objectives. These individuals are ultimately involved in embedding the enterprise risk management framework, which typically includes identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy and monitoring progress. "They are the drivers of business education within a security team as they protect and create value for the businesses stakeholders," Buse says.
Buse says that the right mix of strategic and operational level members within a security team is critical for business understanding on the job. In addition, he has formed subject matter work groups that include his strategic IT security team, which present and interact frequently with senior business leaders within the different state organizations.
He has his security architect talk about metrics to senior officials at a business case presentation and gain exposure in addressing business issues in an IT security discussion.
- Involve Project or Program Managers: South has a project or program manager from the business end involved with each IT security initiative to point out the areas where business and security framework merge on any given project and discuss the impact on the business. "Not everyone on the team can go and earn a MBA," he says. "Best teacher for business education on the job is practical internalization, which includes making key players stand up and present to business leaders on how their work may impact the business."
He prefers open communication and lets his team talk directly so that there is an element of internal training that helps his team see how business fits in the security framework.
- Address the Basics: For Cal Slemp, global security and privacy lead and managing director at Protiviti, a global consulting and internal audit firm, on the job business education for him and his team of 250 IT security members includes asking his team to address basic questions such as: What is the business purpose in expending their energies doing what they do? What are the quantified business objectives? What is the business value for a client in getting a vulnerability or risk assessment conducted? "I never start a meeting without asking why we should do this and what it means for our client's business," Slemp says.
- Involve Key Players in Board Meetings: When Buse has briefings with the legislature, he makes it a point to include one or two key members from his security team, such as the head of application security or risk management, to expose them on things that happen in the forum. "This helps in self-training and understanding of business issues which matter to senior officials," Buse says. He finds this exposure to senior management very effective in helping his team understand the core business issues within the government, how they need to conduct themselves, communicate and learn to discuss security issues with a business focus.
- Hire Candidates with Broad Experience: As a practice, Slemp always hires team members with a broad variety of background who have been consultants, full-time employees and managers responsible for delivering solutions to clients in various capacities. "On the job business education is easier when you have the right mix of experience in your senior staff," he says.
In his job interviews, he always gives more weight to a candidate who sees the connection between business and security and stretches beyond the zeros and ones. He also finds that professional certifications such as Certified Information Security Manager and the Project Management Professional and business management degrees help in laying a better grounding of business understanding.
- Internal Training Programs: All companies and government agencies have their own internal programs directed at business education training for different positions. Buse has meetings every two week with human resources to discuss training and development plans for his staff. Both Slemp and South have quarterly programs that bring together senior leaders and staff in discussing key business issues. "Organizations will have no option but to step up their internal business training programs if it's a frequent request from their employees," Buse says.