Actionable Purple Teaming Why and How You Can (and Should)...
With the continuing talent shortage in cybersecurity, having enough hands and enough experience on the team will remain an issue for the foreseeable future. In today’s uncertain times, how do you maximize your talent?
Learn how making small changes to your business and adding PlexTrac to your toolkit can make managing the talent shortage easier for teams of all sizes.
Before the pandemic, working with new employees usually meant flying them out to the office, putting them up in a hotel, and sitting down with them for a few days to teach them your approach and methodology. If you were lucky enough to have your employees near an office, you could have new testers sit side-by-side with more senior testers to learn the ropes. New testers could shadow senior testers on engagements, all with the intent of training them as fast as possible so they could become billable resources.
For the most part, hiring inexperienced pentesters has always been a challenge. They don’t have enough skill to work unsupervised, but having them as part of an engagement tends to slow things down. In some practices, I was forced to pass on people I knew had all the raw talents and passion for the job, but they just needed six months to get up to speed on the mechanics of pentesting and to be exposed to different real-world environments before they could be billable. Sadly, a lot of practices, not just my own, just don’t have the business model to take on juniors.
But for now, work from home is the order of the day. We don’t have the luxury of sitting shoulder-to-shoulder with our team in the same way we once did. That means we have to get creative with how we support and train our team, and find ways of making them productive (ie, billable) faster.
Zoom, Slack, Teams, and other collaboration tools have been as much a blessing as a curse. They have made it easier for us to be in touch — perhaps even a little too much in touch. (Who else tenses up when they hear what the Slack CEO calls the “knock brush” notification sound?) But collaboration tools won’t make us all experts in our fields. That takes drive and ambition coupled with opportunity.
If your team has that drive and ambition, what can be done to open those doors of opportunity? Here are five steps to maximizing your existing talent regardless of their current skill levels:
Consider more significant investment in employee education.
One investment that both attracts talent and provides excellent ROI to companies is employee professional development benefits, yet many organizations have tight limits on spending in this area. The argument against paying for certifications and classes because you may lose people to better paying jobs has long been debunked. In my career, I have never had an employee leave because we gave them the chance to become smarter — that’s usually the reason they stay (but that’s another blog post.) Hackers, pentesters, operators, and blue teamers enjoy technical challenges, which include getting better at their jobs. Don’t limit their brilliance to a $1000 a year maximum.
Actively create mentorship opportunities for and among all team members.
Mentors don’t provide answers, they teach you how to think in situations that are new and unfamiliar. They can provide guard rails when employees are outside of their comfort zone and a safety net when they reach beyond their skills. Mentorship can be a fast-track for new employees to get up to speed in new organizations and roles, and studies have shown it improves the performance and job satisfaction of the mentor as well.
Make trial and error — and open communication about it— part of the learning process.
Nobody likes to fail, but the fear of failure and the consequences of failure can keep people from trying anything new. Have a written policy that’s in favor of failure. Document that it’s part of the process of learning and, if employees have followed procedures to the best of their ability and still screwed up, that it’s OK. Some of my best bosses made it clear that as long as I was upfront about my mistake and didn’t try to hide it, there was still an opportunity to recover. (I’ve made some colossal mistakes in my career, but that too is another blog post.)
Encourage knowledge sharing to take advantage of every team member’s strengths.
The best teams share information and look out for each other. Not every team member can be a rock-star in all the things — we each have our strengths and weaknesses. When you pay for the class from that unlimited education budget, be sure the employee shares what they learned with the team. Schedule Brown Bag sessions and pick someone to share something they’re really good at. After DEF CON or ShmooCon, ask a few team members to send an email to the team about their favorite session and what made it so interesting to them. Even small things like sharing the best Chinese restaurant to go to when you’re on site with client XYZ can help a team feel cohesive even when they’re miles apart.
Use technology to maximize team capabilities and support learning.
In the tight talent market, PlexTrac is a great platform for leveling up the skills of junior team members and maximizing the output capabilities of the team in general. PlexTrac customers can use the Runbooks module to easily document and share information about TTPs, clients and company SOPs, and client idiosyncrasies to improve communication and empower employees with knowledge. Runbooks is perfect for documenting everything from a purple team exercise to the tools and techniques used for a particular client. With this module it’s possible to provide the exact procedures, letting junior testers step into an engagement and be immediately productive.
The talent shortage in cybersecurity isn’t going away anytime soon, and many new rhythms in hiring and training brought on by the pandemic are likely here to stay. But that doesn’t have to be a burden on management or limit the opportunities testers have to collaborate and grow. With a little creativity and the PlexTrac platform everyone on your team can test like a pro!
Actionable Purple Teaming Why and How You Can (and Should)...
Discovery and Enumeration Penetration Test Phases: A Foundation for Success...
April 2022 Feature Release: Maximizing Reusable Content Transform Your Penetration...
Introducing ALL the Phases of Penetration Testing Hack Your Pentesting...