Turnover is a consistent problem. Companies continually recruit skilled security engineers. However, they have discovered that simply offering larger salaries has a limited affect. Therefore, security team leadership needs to partner with HR to ensure an excellent work environment and offer attractive roles, not just the most money.
Understand the Person
An HR profile of a team member is a fleeting snapshot, at best. A list of certifications and skills is useful but can be deceiving. For example, a physical security expert should be able to surreptitiously enter a secure facility. However, there is a marked difference between someone who uses a full set of professional entry tools and one who gains entry using only a roll of gaffer’s tape and a length of stainless steel rod. Both people achieved the same goal, but the way this goal was achieved is more indicative of the individual’s skill than just the act of gaining access to the facility. Understanding each member’s technical strengths is imperative but not the only important aspect of your team members.
Security experts are in constant evolution as they learn new skills inside and outside of IT. We have seen many security experts suddenly leave the industry for a career as an electrician, a chef, or an artist. Understanding what drives them and what they want from life through their work is key to retention.
If the company is transparent and treats team members with respect, learning about your team members is as simple as asking sincere questions about themselves. Some may be forever content hacking away at things so long as they are paid well and are allowed significant flexibility. Others may want to be a CISO, steering policy for entire organizations. Whatever their desired path may be, determining whether their goals align with the organization’s early on is important for both the individual and the organization. If what they desire requires them to move on, it is mutually beneficial to aid them to their next position and keep an ally for the future.
In any organization, the security team is likely the epicenter of intelligence, technical proficiency, and no-holds-barred quirkiness. The type of person attracted to security will respond poorly to mismanagement and go elsewhere if they feel the need to. Red Team members pride themselves on their work and finding solutions to difficult problems. Give them strictly defined goals and policies, enforce status reporting, and generally stay out of their way. Yes, they may arrive at the office late (or not at all), they may consistently forget the no-shorts policy, but they will be the stalwart defenders of the network. They will stay awake for thirty-six hours, even over a holiday weekend, to work with your incident response team when a security breach occurs.
Red Team leaders do not need to be the most technical member of their team. They need to be proficient enough to lend a hand on medium level tasks but need to possess greater soft skills. There are three non-negotiable skills every Red Team leader must cultivate:
Red Team leaders need to be always selling their services. This means maintaining good relationships with the managers of all other operating units, executives, and the risk component of the board. At any point in a conversation, a good Red Team lead can explain exactly how the team’s skills can add value to daily operations.
The effects of security assessments can strain internal relationships. Anyone leading an internal security team needs to be comfortable actively protecting these relationships, and possess the ability to positively resolve conflict when it arises. Unfortunately, being in such a role leads to some amount of professional peril.
The best Red Team leaders will stand up for their team, even to the point of being fired. If the team acted in good faith and to the best of their abilities, the team leaders must never let their efforts be used against the team.
Avoid Dilution of Security Activities
Red Teamers can be the most talented IT resources in any company. Unsurprisingly, there is a tendency to lean on their expertise. Be it in aid of standard IT projects which need a temporary boost during development, or during a new network segment rollout, or other similar projects. Resist this temptation at all costs.
When Red Teamers are assigned to standard IT projects, they approach them with the same focus and standards as they do security work. This means that they will be absorbed in non-security work when the next big security incident happens. Critical time will be doubtlessly lost as Red Teamers switch back from their IT projects to address the incident. This will likely leave IT teams understaffed and the Red Teamers under prepared. In addition to disrupting multiple projects when a security incident inevitably occurs, security team morale will decline due to undue stress and expectations. Red Teamers want to perform security work. Forcing them to work outside of their charter will cause them to quickly find new jobs where this is less likely.
Prevent Adversarial Relationships
Preventing strained relationships is an ongoing process, not a one-time patch. Due to the nature of a Red Team’s work, it’s affect within an organization has potential to cause stress. That means Red Teams need to be visible to the broader organization, be available as a point of security incident reporting, and present themselves as a friendly resource to anyone with security concerns.
It is critical to identify any instance of an individual attempting to use security reports or assessments as fodder for professional or political denigration of another. Use of a Red Team to aid in feuding or gamesmanship will degrade their relationships, harm their credibility, spread paranoia, reduce cooperation from other operating units, and ultimately lead to an overall downward spiral of interpersonal relations.
Support Curiosity and Competition
Being the coolest place to work goes a long way in the security world. While we don’t support the 1980’s Silicon Valley vision of air hockey tables and skate ramps, we do support a different model to encourage the same results those pioneering tech firms desired.
Most of the Red Team engineers we know are highly curious and want to break expensive tech outside of work. It keeps their creativity fresh, prevents boredom, and can even provide materials for upcoming research publications. Employers should support these activities as much as possible. A good way to start is to allow engineers to use company lab space for their personal projects, or simply by providing them with the flexibility to present their research at an industry events.
Highly capable people often seek ways to benchmark themselves against their peers through friendly competition. In the information security world one of these benchmarks tends to be Capture the Flag (CTF) events, where teams of hackers work together against the clock and rival teams to break into purpose-built networks and resources. These events are highly valuable not just for fun, but to learn new skills, build team cohesion, and even recruit new candidates.
Participation in industry events and competitions are two meaningful ways to engage with the security community. Not only will participating aid in retaining your team, but it will also raise the company’s profile and serve as a potent talent recruiting tool. This is by no means an exhaustive list as there are many more ways to foster curiosity and competition.
Let Go Gracefully
One can only ascertain a limited amount of information about a candidate’s skills through resume inspection and interviews. Even a long list of professional certifications provides very little insight. Technical skills for highly paid, sensitive security roles should be directly assessed by prospective employers. Third-party services exist for exactly this sort of purpose; but be careful on who is selected for this task as only very few third parties understand the needs of a Red Team. It is best to use top level internal engineers to help develop an organization’s assessment modules for a more tailored interview experience.
Take Advantage of Turnover
In the current industry conditions, turnover in unavoidable. Every recruiting cycle is a chance to refine, to focus the skills wielded by your Red Team. Existing role specifications should be revisited before actively recruiting to ensure the current and future needs of your team are met. Be sure to hire to your current threat model, not to your existing HR documentation, and make the most of every hiring opportunity.
Author: Nick Jeswald, Director of Corporate Development, Red Mesa