How to build an effective security team: 11 tips from LinkedIn CISO Cory Scott

linkedin headquarters mountain view wikimedia commons

Speaking at InfoSecurity 2016, the biggest infosec conference in Europe in London’s Olympia, LinkedIn’s chief information security officer Cory Scott laid out some advice for organisations that want to build out an effective security team.

Share

Every IT department is painfully aware of just how important security is in any organisation today – we’re deep down the rabbit hole compared to the early days of the computer virus. Now, security breaches are enormously damaging to your brand, and therefore to any businesses shareholders, not to mention the users.

According to LinkedIn CISO Cory Scott, there are three main areas that every security team needs to focus: talent, operational excellence, and to be inclusive. Here are a few of the pointers from his talk.

Consider the law of averages

“There is way more demand than there is existing staff,” Scott said. Pulling data of security professionals from LinkedIn, Scott found that in the UK there’s a ratio of five to one active jobs and open jobs.

“You might think five to one is not so bad – think about this,” Scott explained. “Imagine you have an infosec team that’s five people. You use the law of averages. Maybe there’s one person who is a superstar. You’ve got three people doing a good job, and one person who is maybe struggling and not meeting expectations. That’s a standard bell curve for almost any organisation.

“Now imagine you’re trying to retain your talent of those five people. Guess who the headhunters are going after? That one talented person. If you’re looking for new staff, guess who most likely is out there looking for a job. It’s most likely the person having performance issues in their current job. All of a sudden it doesn’t look so good!”

Look around you!

A great fit for your team might not be working in infosec now, but that doesn’t mean they won’t have the qualifications and skillset you’re looking for. And they could already be working with you in the same building – say, in operations.

“Look in your existing company: network engineers and system administrators are likely to make the move to infosec,” Scott said, citing data pulled from LinkedIn.

“It’s really important to hook them when they’re young – early in their stage of the career, rather than too late.”

Listen to word of mouth

In terms of people hired from first degree connections on LinkedIn, information security is second only to computer gaming. “The number of employees that are hired from a company from their employees’ first degree connections is 27.8 percent,” Scott said. “That’s the second most of any industry. So tapping your own networks is really important – it comes back down to figuring out who’s talented and who’s not.

“Word of mouth for infosec professionals about the quality of their work is the biggest business card they can possibly have.”

A CV isn’t everything

When LinkedIn hires, the business wants to tap the widest possible talent pool, according to Scott. And so instead of harvesting endless CVs and cover letters, the company tried something different – setting a sample test.

“It’s a small one- or two-hour piece of work that’s very similar to the actual things we’d need them to do: testing a network, decompiling and recompiling an application to find a bug,” Scott explained.

“We didn’t review their resume. We didn’t necessarily look at their job experience. We just saw they had the chops to make it happen.

“Try it without doing resume screens with a good challenge you’ve written and watch the results. We’ve done that within our own assessment team at LinkedIn, and gotten very strong candidates we were able to bring in and have produce results immediately.”

Mentor your team!

The average infosec positions last approximately 3.1 years, not too far from the industry averages in engineering or operations, in either the tech or financial sector. Regardless, senior management sticks around longer while those in lower or entry level positions leave far quicker.

“When you think about your strategy for retaining talent, you’ve got to address these folks and find a path for them before they leave your organisation,” Scott said. That means engaging people in “high burnout” positions: everything from the right training, to guidance for a career path, and especially in providing ownership of their work.

“I had an engineer who was very interested in specialising in mobile security,” Scott explained. “We didn’t have the strongest practice in that at the time. He got to build that up, and then from there he knew he wanted to work in a mobile-only company after that – so we actually talked about how he was going to build up that practice, get the public visibility that he needed, and then go and find the next job. Now he’s a director of security at another firm.”

Balance internal and external demand

Think of internal demand as your security team’s own projects that won’t really leave the room – things that would not get secured unless the team specified it. External demand could be someone from another department coming to security as part of procedural policy, or to test out the security of a new feature.

“You want to balance this, ideally, 50-50,” Scott said. “If you exclusively focus on internal demand, you’re either an inquisitor or sitting in an ivory tower. If you’re too far on external demand all you are is a service bureau, not bringing your own critical judgment to strategy as a whole. So it’s really important to keep that balance, especially when you have so many things you need to do.”

Standardise!

LinkedIn documented its methodology in how it addresses any issues, and by drawing a clear picture of what a threat model looks like, through to design reviews and penetration testing, others in the company felt more comfortable approaching security because they knew what they were getting.

It was no longer as if security was “practising the black arts or in their lair somewhere and then producing findings,” Scott said. “We have it very clear about the potential things we look for”.

Make sure your deliverables are easy to consume

This means within your team and in the wider organisation.

LinkedIn built its own catalogue of potential bug definitions so that it could quickly define the problem for each. “We’ve built something called a bug classification table. Instead of trying to figure out a mystical formula about where a bug is critical or high, we have the concept of a bug class,” Scott said.

This kind of standardisation means the team is spending less time arguing and more time fixing.

In terms of communicating to other departments, Scott says it’s important to understand that you’re not judged on how you keep the bad guys out or how much data is protected.

“It’s about how you’re judged by the rest of the company, and that is based on communication and coordination,” he said. “Many teams need to be involved. In order to get updates to a centralised point you have to realise communications will flow in every direction.”

Be mindful of management and provide the right visibility

“The main watchword is that management should never care about an incident second hand,” Scott said. “We will have a dedicated person who provides official updates, who has a summary of the issue, the potential impacts, and the mediation.”

Every time there’s an incident marked as a critical bug, security produces an email and sends it along to management. This includes a headline – that’s the executive summary – the concept of the issue, how it was discovered, which actions the team has taken, and a link the ticket itself.

Crucially, the team also provides a few reassuring footnotes. There’s a thank you to the teams, and there’s a small boiler plate note. “[It says] we’re not ratting you out, and we’re not telling tales,” Scott said. “We’re simply giving people the right visibility.”

Find your next job with computerworld UK jobs