How JustEat finds and trains in-house security talent

Employees in other departments might have skills that play well in security and the desire to make the jump. JustEat CISO Kevin Fielder explains how he introduces those people to cybersecurity and integrates them with the team.

Intelligent workspaces - Redefining the future of work
Metamoworks / Getty Images

It’s a good time to be cybersecurity professional. The unemployment rate is essentially zero and you can almost pick and choose the roles that suit you.

Things are less rosy if you’re tasked with hiring those cyber pros. (ISC)² estimates the shortfall of talent within the field has reached 3 million globally, while ESG says that half of organizations have a “problematic shortage” of cybersecurity skills. 

While companies increasingly look to broaden the security talent pool through STEM and apprenticeship initiatives, hackathon-style events, or diversity campaigns, a wealth of talent might already be sitting within the business. “I'm one of those people that's on the fence about whether there is a legitimate skill shortage or if it's just kind of something of our own making in terms of how we look for people,” says Kevin Fielder, CISO of food delivery startup, Just Eat. “There is, of course, a need for highly skilled technical people, but we can do a much better job at looking both internally and externally for people with skills that you might not normally think about.”

Look outside your own bubble for security skills

Fielder says there is plenty of space, especially within junior-level positions, to bring people with a different skillset into the team to learn security on the job while sharing their own talents. As an example, he says he recently had someone at an event working in brand marketing ask how they could get into security. His response: "One of my hardest jobs is selling security - taking a complex idea and boiling it down to deliver the crux of the issue. It’s about hearts and minds when it comes to security - being a great communicator - and delivering meaningful information to the right people. Say your job is doing amazing presentations and selling stuff.  If you came to me and offered to make me the best presentations I’d ever given to the board and the rest of business, I'd be biting your hand off,” says Fielder. 

This idea of not simply focusing on hard security skills is something Fielder says he applies internally as much as externally, as people who already know the business can offer a different kind of value to a more skilled cyber-professional who is new to the company. “If you have someone who's been at your company for a while, they immediately bring business context and knowledge,” he says.

Two examples within the company include someone from the end-user computing team and another from the network team who both wanted to move into security and are bringing useful prior knowledge to the security team. “The guy from the end-user computing team, he’s been helping us with security awareness and culture work. He knows everyone because he's been doing end-user support and supporting management and end users across the business for years and knows who owns what or who does what in the organization. He brings with him excitement, enthusiasm and knowing everyone, and that's really helpful.”

“We had a second person moving from the network team, who understands all of our networks and network infrastructure; basically how the whole company communicates at a technical level, how everything hangs together.”

Fielder says that similar thinking can be applied to managerial positions as well, as managers with large and strong teams will mainly be handling the people aspect while their teams focus on the technology work. “The senior engineer space, when you're the person that's relied on to know how to do stuff, is probably the only tier where you have to have super in-depth security skills,” says Fielder. “At the bottom or top end, you can get away with not having that if you've got some other really useful skills.”

Keep security job postings short and simple 

To broaden the funnel of people applying for security roles, job specs should be as short as possible, says Fielder. Some studies have shown women are less likely to apply for jobs if they don’t fit all the requirements of a job specification, while men will apply even if they only meet around half of the requirements.

Instead of having long, specific requirements, Fielder says he likes to bring it down to as few as three lines when he is hiring. Things like certifications and experiences will be listed on the CV anyway and can be easily filtered out once applications come in, so instead he tries to make job ads small and draw in as many potential candidates as possible.

Recently, the company was looking for someone who had experience with Splunk. Rather than asking for some number of years of SIEM experience, JustEat kept its requirements simple and broad. “They had to be good at Splunk. Ideally, they needed some incident response stuff and a desire to be part of a great team. That's what the job spec was: I want these three things.” 

“Spunk is used much more widely than just security. You might find someone who's just amazing at Splunk from an operational background without any incident response [experience], and that would be a good opportunity to get someone into security. They could do stuff we can't do with Splunk, and we can teach security as they start making these rules and dashboards based on what we want.”

Empower staff to be agile and own their projects

Once you’ve found the talent, retaining them is a key next step. A study by (ISC)² into security staff retention found nearly half of cybersecurity professionals are contacted weekly by recruiters, and most would consider moving organizations if the right offer came along.

Keeping your workers happy and engaged is key to retention, and JustEat does this by giving the staff the freedom to work on the security projects that they feel are most important. Over the last six months, Fielder has implemented a more DevOps style way of working for the security team where everything the team works on is done in focused two-week sprints.

“The whole fundamental benefit of Agile is every two weeks you deliver something of value. So even with a big waterfall project, as long as you can break the tasks down into manageable chunks, at every sprint you deliver standalone value,” says Fielder.

After each sprint, a retrospective takes place to create a feedback loop — what lessons were learned, what worked and what didn’t. Then the next sprint starts with a planning session. The teams look at the backlog and take on the highest priority or most important items.

Fielder notes the difference between delegating and empowering workers. While the security functions obviously have broader goals and strategies over time, sprint-to-sprint is largely up to the teams themselves. The teams are required to only work on that project during the sprint — incidents or major events aside — to prevent them languishing unfinished for long periods of time.

“I stay fairly arm's length in the sprint planning, so my team really own that prioritization and what goes in there. I just get to view what's happening,” he explains. “If they think something is super important, they put on the backlog and argue for why they have that in the upcoming sprint and the team own that. I could step in if I need to, but they get much more engaged and empowered to own what they're doing. We've agreed what the milestones key deliverables are for the next three, six, twelve months; you're empowered to achieve the goals however you want.”

Bigger projects that might normally take months, such as rolling out a vulnerability management program across the entire business, can be broken down into manageable chunks. For instance, each sprint might be rolling that out to a new location. “It also enables us to pivot. We’re a global business so things can and do happen unexpectedly. If at the next sprint something really urgent comes up, the people running that project can stop. They've delivered value. There's another office being scanned, fixed and remediated, and they can go do something else and pivot to other work for a sprint or two and then come back and do another office another time,” says Fielder

The upstream benefit of doing everything in short sprints — and recorded within JIRA tickets — is that every project can be tracked and measured in deliverables, which makes it easier to explain to the rest of the business and board what security is doing and delivering, which can help show value. “Most projects are taken in steps anyway,” says Fielder. “It’s just turning those things into a ticket and saying, ‘I’m going to deliver this value, then this value, then value.’ You get much more out of people when they're empowered, we deliver more because the team is focused and they know exactly what they're doing.”

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!