Hiring the right people. And what vendor approaches don't work.
An afternoon panel on "Disruptive Models that Accelerate the Development of More Secure and Trusted Systems" was moderated by Rich Baich (Chief Information Security Officer, Wells Fargo). The panelists included Mark Connelly (Chief Information Security Officer, Boston Consulting Group), Cheri McGuire (Group Chief Information Security Officer, Standard Chartered Bank), Greg Notch (Senior Vice President, Information Technology and Security, National Hockey League), and Jim Routh (Chief Security Officer, Aetna).
The panel very quickly moved into a discussion of the challenges involved in hiring security personnel. This labor market is notoriously competitive, but the panel's mood was fairly upbeat. McGuire thought it relatively easy to attract young talent. She saw the bigger challenge on the senior manager side of hiring: there it's much more difficult to fill positions.
The panel stressed the importance of hiring people "where they want to live," and of taking advantage of the opportunities for remote work and collaboration technology offers. They also argued that it was important to let security personnel choose their own professional development path. If there's a certification they'd like to pursue, enable that, even if it's not immediately relevant to the path they're on. Should a position open that requires that credential, the employee will be well-placed to occupy it.
Notch had, according to moderator Baich, the "coolest" job on the panel—leading security for the NHL. Asked what was coolest about that job, Notch said it was being unregulated (to general laughter) and so they had very little compliance risk. He passed up opportunities for easy laughs about enforcing secuirty policies with high-sticking and other goon tactics, and he offered an interesting perspective on how a relatively small organization (which relatively speaking the NHL is) finds innovative solutions that work for it. He's found that many existing solutions don't scale well to their size. So the NHL has found it worth engaging venture capitalists who can direct them to promising start-ups whose solutions fit the NHL's needs.
Looking at emerging technology trends, Routh noted that artificial intelligence, while certainly a feature of much marketing within the security industry, isn't in fact the future of security. Rather, it's here now, and represents a family of technologies vendors and consumers are routinely engaged with.
Baich concluded by asking the panel two questions, for the benefit of the security vendors in attendance. First, do you open emails from vendors saying that they've got a solution to a current problem you're experiencing? The consensus answer was a flat "no." No one wants to be approached that way, especially in the midst of an incident response. And trying to get to the CISO by pestering their C-suite colleagues is even worse: it increases the CISOs' workload and makes them even more ill-disposed to the vendor making the pitch than they'd otherwise be.
On the other hand, the answer to the second question—would you like to hear from a vendor you do business with already to tell you how to respond to, or prevent, an incident?—was a clear and unambiguous "yes." An email that says, for example, you may have heard about WannaCry, so to make sure you're protected, have you turned on features A, B, and C, that kind of email is welcome.
So cold calls to prospective customers, no. But timely and helpful engagement with the customers you have, yes.