Dyann Bradburry (bio below) actively recruits and develops people as part of her responsibilities. Her experience building teams gives us insights into what we can do as an industry to build a better pathway.
This is part of the focus on the pathway to the talent we crave (link) in the Leading Security Change series (link). A multimedia exploration of challenges and opportunities in the security industry. Each series brings together a panel of experienced security leaders to share the mindset and approach we need for success. The result is a complete package to engage others, strengthen your leadership, and accelerate the change we need for better security.
5 Questions with Dyann Bradbury
1. What are the benefits of creating an internal pathway? Where do you look?
The benefits of creating an internal pathway: The employee understands the infrastructure, business, and dynamics of individual teams/departments and has already built a rapport with other employees. The employee will have already gained respect among other employees and management for their knowledge, integrity and professionalism. There is minimal HR paperwork to tend with (transfer as opposed to new hire). We, the hiring manager already have an accurate sense of who they are as we have interacted with them. It certainly takes less time (no time) to ramp up.
Where do you look: A good place to start is in IT as they already have a specific talent, an area of technical expertise that you can build upon. For example, take a server administrator; they have detailed knowledge of how the operating system works, how the servers communicate with each other and with other devices. Adding the security component on top of that knowledge is not only a natural fit but it is crucial. Another place to look is at code developers as they have intimate knowledge of the code, how it interacts with other components such as databases, other applications, memory usage, etc. These folks can be used for application vulnerability scanning, manual security code review and secure code development training of other developers.
2. How do you identify interest in security (even if they aren’t yet sure of it themselves)?
By interactions with them during security training, day to day meetings and by the questions that they ask during security training or when a particular security solution is being introduced to the environment or when a technical problem needs to be addressed and we are discussing solutions on how we can solve this while protecting the security of the data.
3. What are the aptitudes you look for in a potential candidate? And how do you assess them?
The aptitudes to look for in a potential candidate are their integrity, respect for others, rapport with other employees, their curiosity about security and their accountability. Do they take responsibility for their work and are they aware of how the decisions that they make in the work environment affect their fellow employees, the company, the security of the data, the client and the end consumer. They need to understand cause and effect.
Assessing them depends on the specialty, the specific area of security that they are interested in. Certs or other available tests may be appropriate to measure their aptitude. Bottom line, more often than not, it comes down to instinct.
4. How do we help people develop, grow, and evolve into successful security practitioners?
Lead by example, this is key. Give the employee the opportunity to grow and be successful, give immediate feedback, map out a personal development plan and goals for the year, meet every month to review those goals and plans, offering your help and guidance. Offer training whether it is on the job or industry training, more often than not hiring internal saves money that can be used for training. Sometimes throwing them into the fire a sink or swim scenario is useful but always be there as a backstop if they start to spiral down the rabbit hole. Most important is to instill confidence in the individual that they can do this, that they are intelligent, give them the opportunity to succeed. That is the sign of a good leader.
5. How do we create a magnet that pulls people into the profession?
If you are a good leader, news will spread fast. Folks will want to work for you. Internal hires that are successful will tell their friends, both internal and external. You will become the person that folks want to work for. If the employee is successful, you and the company are successful.
About Dyann Bradbury
Ms. Bradbury is Senior Director of Corporate IT Compliance for Digital River. In this role, she is responsible for PCI compliance for Digital River’s global business units in the U.S., Germany, Ireland, Sweden and Austria, reviews and advises on policy, conducts PCI Gap analysis on acquisitions and reviews new legislation that may impact the business from a security and compliance perspective. Bradbury advises on SOX (Section 404) and PCI requirements.
Bradbury has served on the Board of Advisors for the Center for Information Security Awareness (CfISA). She also served as President of the InfraGard National Members Alliance (INMA) from 2009 to 2012.