5 tips for keeping your incident response team happy

A security manager might be turned off when a job candidate calls him "dude" several times during the course of an interview, but it was a minor infraction that Todd Borandi had to overlook. Like many security team leaders seeking highly sought-after technical skills for his incident response team, he had to let small transgressions slide.

"People with the mentality to do this type of work operate a little differently than those in an office setting," says Borandi, who managed a U.S. Department of Energy incident response team before taking his current position as a lead security information architect at a New York financial institution. "[The job candidate] was a brilliant young man," Borandi recalls. He got hired and is now a successful senior analyst.

Such is the challenge with finding and keeping a talented incident response team. These highly specialized professionals who can anticipate security threats ahead, stop a cyber attack in its tracks, or quickly quarantine and eliminate a network intruder, are hard to find and even harder to keep.

[ ALSO ON CSO: Understanding incident response: 5 tips to make IR work for you ]

Job postings for cyber security positions grew 74% from 2007-2013, according to labor market analytics firm Burning Glass Technologies. Those job postings took 24% longer to fill than other IT job postings and 36% longer than all job postings.

"The talent you're looking for in incident response is absolutely the hardest I've seen to find in security in general," says Christine Gadsby, manager of the product security incident response team at Blackberry in Irving, Texas. Her team, a mix of Millennials and industry veterans, must have deep technical skills, "but they also have to be consultants who can solve problems," she says. "Putting those skills together to deal with an incident response issue as it's evolving is very difficult."

Christine Gadsby, manager of the product security incident response team at Blackberry

Keeping talented security pros from being lured away can also be challenging. "I get emails every day from recruiters asking me if I want a new job," says one senior-level engineer based in Chicago who asked not to be identified.

With demand for security skills outstripping supply, managers can't afford to leave incident response teams on cruise control. Security leaders offer their tips for keeping your incident response team happy and engaged.

1. Step back

For starters, incident response professionals require space. "My people will multitask within their minds. If I'm over their shoulder asking them questions, it hinders them," Borandi says. His team consisted of eight to 10 people ranging in age from 23 to mid-40s who specialized in active directory, firewall administration, web application security, intrusion detection systems and vulnerability management.

"We would set assignments, and they would be on their way," he says. "My job was to keep nervous [executives] away from my people. It's hard to give people space when you're talking about millions of dollars" worth of intellectual property on renewable energy.

2. Give them the tools they want within reason

"There's no perfect [security] tool that everybody loves," says Rob Westervelt, information security analyst at IDC. "It's what they feel comfortable using." But too many tools can get expensive and be disruptive to the team's workflow.

At First Financial Bank in Cincinnati, "we try to keep no' out of our vocabularies when it comes to new products," says Dan Polly, vice president and enterprise information security officer. Polly, along with Brad Stroeh, vice president of network and security services, lead two groups that make up the bank's incident response team. "We really encourage people to try to abandon their conventional wisdom, and we allow experimentation to occur within reason."

To help keep under control the number of tools his team used, Borandi introduced a caveat -- those who bring in new tools are responsible for their maintenance and upgrades. "With the maintenance cycle associated with it, they got very efficient" at selecting only the most essential tools, he says.

3. Listen to ideas and value their knowledge

Incident response team members want to have an impact on the company beyond their daily responsibilities, Gadsby says. "So I focus on really understanding that these people have a lot to contribute." This requires being a good listener.

"You can learn a ton about risk from your response team," she says. In addition to their deep technical knowledge, "they have the latest in cyber intelligence, and they're often very deeply embedded in the security community, which brings valuable relationships to the company. They can contribute to the [company's] larger security story outside of just the response team. They value being able to give that input."

[ Fatal half-measures in incident response ]

Gadsby also treats incident response team members as business consultants when it comes to planning and making decisions on future technologies or product development. "Most importantly, take their input and use it to evolve processes," she says. "Your incident response people are expert multitaskers, and they understand how to prioritize under pressure. Use that knowledge to improve your incident response process and your overall security story."

4. Keep incentives fresh

"Understanding the incentives of people in high demand areas is really difficult," Polly says. "You have to be very tuned in with each employee and understand what's important in their life," both inside and outside of the office. "It's very personal. [Over time] you exhaust your techniques."

To that end, Polly and Stroeh make sure they're physically present at the office with their teams. "We try to stay very engaged with the people we work with," Stroeh says. About a dozen security pros, most in their 30s and 40s, make up both teams. "It's a huge time commitment, but you have to be able to spend that emotional capital with those teams and make them feel good about what they're doing," as well as find new ways to motivate them.

They also make sure that the bank's executive leadership understands the role that the incident response teams play and that individuals are recognized for their work. "Rewards are temporal, but sincere recognition is something you can do consistently. The entire team can understand the impact of that," Polly says.

Training and education are also important for incident response team members, leaders say. "I hire people who are very interested in growth, development and continuous improvement, so I work on getting them training to learn new things," Stroeh says. "That's what they really like to do."

 5. Encourage competition

Security pros thrive on challenges, team leaders say, and security competitions like Capture the Flag events can play an important role in keeping team members energized. "Make sure they have the opportunity to go and challenge themselves and see how they compare to others," says Borandi, whose team members attended competitions. "The day-to-day grind is never quite as exciting as competing. People also tend to make themselves sharper on their own just preparing for those events," he adds.

Looking at the bigger picture, most companies face the same universal security threats and challenges, so the biggest differentiators that an employer can offer, other than salary, are engagement and growth.

"As long as you make sure you're paying attention to them, valuing their knowledge, giving them the tools they need and keeping them educated," Gadsby says, chances are security pros will stay on the team.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityInfoSec Staffing21CSO

More about CSOFirst FinancialIR

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place