“Building an Agile Security Team for the Future” is not only the name of an InfoSecurity Europe session but also something which according to its panellists is not easy to achieve but is entirely plausible.
Agile is a term oft associated with the methodology of working typically utilised by programmers looking for a quicker development cycle and quicker deployment of new code.
According to Vicky Gavin, head of information security at The Economist Group, the kind of agile the panelists were referring to was about “breaking down the traditional role boundaries” and ignoring the traditional idea that someone is hired for X and does only that.
Stuart Hirst, head of security at Skyscanner, agreed and said that to develop an agile environment in his teams he wants people to “fail forward and fail fast” and to “take calculated risks at anytime” as “you can't be using old-world thinking if you want to stay afloat in this day and age”.
The reason being agile is encouraged is because, as the panel agreed, “security is asynchronous and is impossible to plan for”. So security staff have to be able to deal with organised chaos at all times. And as Hirst added,, “most policies are out of date once they are written”.
Paul Watts, CISO at Network Rail, said that “people should be allowed to fail” and “encouraged to be transparent around it” so they can explain what they learnt from the experience and how it might help them adapt their behaviour in the future.
So the panel moved to discuss how to hire these sorts of agile and super adaptable superstars who can handle anything thrown at them.
Of course, the cyber-security skills gap was brought up. Adrian Davis, moderator of the panel and EMEA director at (ISC)2, announced new findings from a survey his organisation conducted which found that European organisations are planning a blazing fast cyber-security recruitment drive.
The survey points out what we already know in cyber-security: two-thirds of organisations state that they currently have too few cyber-security workers “as the region faces a projected skills gap of 350,000 workers by 2022”.
(ISC)2 says to combat this problem, employers should do more to embrace those people who are new to the industry, as according to the survey results, “92 percent of hiring managers admit they prioritise previous cyber-security experience when choosing candidates and that most recruitment comes from their own professional networks.”
Mahbubul Islam, head of secure design at the Department for Work and Pensions, said that it's imperative to find people who have some qualities you're looking for and train them for the others.Islam added, “It's important we educate people and show how to positively bring people up the ranks.”