If you’re a cybersecurity or technology audit manager, there are some good reasons why you might want to diversify and expand the skill base of the folks on your team. First, we all know that there’s a “skills gap” – so those organizations that can best optimize talent (i.e., by making the best use of the resources already in house) have a competitive advantage relative to their peers.
But even beyond this, there are other benefits to investing in staff skill enhancement. For example, a 2016 survey from Udemy found that almost half (43 percent) of employees are bored at work and that most (51 percent) are in that state at least half the time. That’s important because the same survey found that lack of new skill development was the largest factor contributing to workplace boredom (46 percent of respondents) and 80 percent of respondents said that learning new skills would increase their engagement.
The point? Fostering new skills reduces attrition, increases engagement, and makes us more competitive all at the same time. Sounds good until you try to do it. Traditional methods (e.g. training, boot camps, etc.) consume very limited training budget, not to mention the opportunity cost associated with taking critical staff out of commission to attend training in the first place. This is why strategies like cross-training and job rotation can be compelling: they help keep employees productive while simultaneously building out new skills and improving existing skills. The fact that this can be done without the need for additional budget -- in fact, leaving training budget alone for other training ops -- makes it that much more appealing.
The question then for security managers becomes how to effectively implement these strategies. Clearly, it’s not as easy as it might at first seem or it would be ubiquitous. So how they can we do it from a practical point of view? Let’s go through what these programs are about, what managers can do to get started, and what they should keep in mind as they do so.
Cross-training (and job rotation) can be thought of as ways to “crowdsource” the development of new skills for team members by leveraging the folks that you already have using those skills. As a vastly simplified example, say you have two teams in your security operations group: incident response (IR) and penetration testing.
The IR analysts spend their day looking through logs and responding to automated alerts from security tools, while the pentesters conduct exercises to probe for weak points. What would happen if you took someone from the IR group and shifted them over to work with the pentesters for a few months?
Ideally, you might help the IR analyst build new skills while keeping them productively engaged in tasks (i.e., pentesting) that you’d otherwise be doing anyway. Will the transplanted IR engineer perform as well as the best members of the pentesting team out of the gate? Probably not. But long-term both teams are stronger: the IR employee learns something new and builds skills that are highly marketable. As he or she does so, they share their expertise with the pentest group, for example showing them better ways to evade detection methods. Ultimately, the IR engineer will be even better at their former duties at the end of the process since they’ll have direct experience performing the attacks they spend their day hunting for. For the purposes of this example, we’ve kept it simple -- but if you can imagine that same methodology across multiple teams and involving multiple staff members at a time, you have the crux the of the strategy.
There are a few key principles in setting up programs like this. Specifically, you’ll want to:
Each of these is important in its own way and critical to the success of the effort.
This sounds easy but there’s actually quite a bit involved in doing it well. Remember that, at its core, job rotation and cross-training programs are about active skill building, not just shuffling duties around. This means that how it happens should be built on organization, forethought, and a consistent strategy. “Shuffling the deck and hoping for the best” is as unlikely to be effective as it will be stressful to staff.
Instead, map out the important skills and impacted areas in advance. Just like you wouldn’t “throw the dice” in deciding how to train employees using traditional methods, so too should you actively plan and set goals. You’ll want to know what skills you hope to build, understand how long that will likely take, and have a path for each staff member based on both their interests and diversity of knowledge sharing among teams. A Kanban-style tool or methodology that lets you quickly try out – and if need be discard – different options can be very helpful here.
Robust Oversight and Communications
For the effort to be successful, employees need to meet you “halfway” -- meaning, enlist their help so they (and you) get the most out of the experience. Do this by communicating the purpose of the effort, what you’d like staff to learn (in terms of specific learning goals), and what you hope the long-term impact will be to them and the organization. To keep nerves from fraying in the process, it’s also a good idea to be clear about timelines: how long will it be and what happens after? If you make a commitment, stick to it barring exceptional circumstances. Recall that one of the main goals is to reduce attrition and maximize engagement: to the extent staff see your efforts as “a reorg” or to the extent it is stress-generating in other ways (for example lasting an indeterminate amount of time) you undermine your own efforts in doing this.
Lastly, measure your progress. Are staff meeting their learning objectives within the anticipated timelines? Measuring the success or failure is important both because it is a “throttle” that will allow you to tweak your approach over time but also helps you build internal “capital” in other ways – for example if you want to extend the effort outside of security and into other adjacent teams (e.g. audit, legal, or even business teams.)
At the end of the day, these strategies can go a long way to improving the profile of the organization: they help build necessary and valuable skills thereby offsetting “skills gap” challenges, they help keep staff happy and engaged in their jobs (and thereby being as productive as they can be), and they help to bolster the security of the organization overall.
Interested in learning more about topics like this? Mark your calendars for the upcoming InfoSec World Conference & Expo in Orlando, Florida. Here's what you need to know.