A security manager might be turned off when a job candidate calls him "dude" several times during the course of an interview, but it was a minor infraction that Todd Borandi had to overlook. Like many security team leaders seeking highly sought-after technical skills for his incident response team, he had to let small transgressions slide.
"People with the mentality to do this type of work operate a little differently than those in an office setting," says Borandi, who managed a U.S. Department of Energy incident response team before taking his current position as a lead security information architect at a New York financial institution. "[The job candidate] was a brilliant young man," Borandi recalls. He got hired and is now a successful senior analyst.
Such is the challenge with finding and keeping a talented incident response team. These highly specialized professionals who can anticipate security threats ahead, stop a cyber attack in its tracks, or quickly quarantine and eliminate a network intruder, are hard to find and even harder to keep.
[ ALSO ON CSO: Understanding incident response: 5 tips to make IR work for you ]
Job postings for cyber security positions grew 74% from 2007-2013, according to labor market analytics firm Burning Glass Technologies. Those job postings took 24% longer to fill than other IT job postings and 36% longer than all job postings.
"The talent you're looking for in incident response is absolutely the hardest I've seen to find in security in general," says Christine Gadsby, manager of the product security incident response team at Blackberry in Irving, Texas. Her team, a mix of Millennials and industry veterans, must have deep technical skills, "but they also have to be consultants who can solve problems," she says. "Putting those skills together to deal with an incident response issue as it's evolving is very difficult."
Christine Gadsby, manager of the product security incident response team at Blackberry
Keeping talented security pros from being lured away can also be challenging. "I get emails every day from recruiters asking me if I want a new job," says one senior-level engineer based in Chicago who asked not to be identified.
With demand for security skills outstripping supply, managers can't afford to leave incident response teams on cruise control. Security leaders offer their tips for keeping your incident response team happy and engaged.
1. Step back
For starters, incident response professionals require space. "My people will multitask within their minds. If I'm over their shoulder asking them questions, it hinders them," Borandi says. His team consisted of eight to 10 people ranging in age from 23 to mid-40s who specialized in active directory, firewall administration, web application security, intrusion detection systems and vulnerability management.
"We would set assignments, and they would be on their way," he says. "My job was to keep nervous [executives] away from my people. It's hard to give people space when you're talking about millions of dollars" worth of intellectual property on renewable energy.
2. Give them the tools they want within reason
"There's no perfect [security] tool that everybody loves," says Rob Westervelt, information security analyst at IDC. "It's what they feel comfortable using." But too many tools can get expensive and be disruptive to the team's workflow.
At First Financial Bank in Cincinnati, "we try to keep no' out of our vocabularies when it comes to new products," says Dan Polly, vice president and enterprise information security officer. Polly, along with Brad Stroeh, vice president of network and security services, lead two groups that make up the bank's incident response team. "We really encourage people to try to abandon their conventional wisdom, and we allow experimentation to occur within reason."
To help keep under control the number of tools his team used, Borandi introduced a caveat -- those who bring in new tools are responsible for their maintenance and upgrades. "With the maintenance cycle associated with it, they got very efficient" at selecting only the most essential tools, he says.
3. Listen to ideas and value their knowledge
Incident response team members want to have an impact on the company beyond their daily responsibilities, Gadsby says. "So I focus on really understanding that these people have a lot to contribute." This requires being a good listener.
"You can learn a ton about risk from your response team," she says. In addition to their deep technical knowledge, "they have the latest in cyber intelligence, and they're often very deeply embedded in the security community, which brings valuable relationships to the company. They can contribute to the [company's] larger security story outside of just the response team. They value being able to give that input."
[ Fatal half-measures in incident response ]
Gadsby also treats incident response team members as business consultants when it comes to planning and making decisions on future technologies or product development. "Most importantly, take their input and use it to evolve processes," she says. "Your incident response people are expert multitaskers, and they understand how to prioritize under pressure. Use that knowledge to improve your incident response process and your overall security story."
4. Keep incentives fresh
"Understanding the incentives of people in high demand areas is really difficult," Polly says. "You have to be very tuned in with each employee and understand what's important in their life," both inside and outside of the office. "It's very personal. [Over time] you exhaust your techniques."
To that end, Polly and Stroeh make sure they're physically present at the office with their teams. "We try to stay very engaged with the people we work with," Stroeh says. About a dozen security pros, most in their 30s and 40s, make up both teams. "It's a huge time commitment, but you have to be able to spend that emotional capital with those teams and make them feel good about what they're doing," as well as find new ways to motivate them.
They also make sure that the bank's executive leadership understands the role that the incident response teams play and that individuals are recognized for their work. "Rewards are temporal, but sincere recognition is something you can do consistently. The entire team can understand the impact of that," Polly says.
Training and education are also important for incident response team members, leaders say. "I hire people who are very interested in growth, development and continuous improvement, so I work on getting them training to learn new things," Stroeh says. "That's what they really like to do."
5. Encourage competition
Security pros thrive on challenges, team leaders say, and security competitions like Capture the Flag events can play an important role in keeping team members energized. "Make sure they have the opportunity to go and challenge themselves and see how they compare to others," says Borandi, whose team members attended competitions. "The day-to-day grind is never quite as exciting as competing. People also tend to make themselves sharper on their own just preparing for those events," he adds.
Looking at the bigger picture, most companies face the same universal security threats and challenges, so the biggest differentiators that an employer can offer, other than salary, are engagement and growth.
"As long as you make sure you're paying attention to them, valuing their knowledge, giving them the tools they need and keeping them educated," Gadsby says, chances are security pros will stay on the team.