Prioritize Your People

Measuring Your Offensive Security Maturity 

Defining the pieces of the puzzle that make up your offensive security program transcends simple budget numbers and technology or capital expenses and operational expenses. It goes beyond methodologies and processes. These things certainly comprise the program, but one of the most important pieces is your people.

How you invest in, hire, train, and foster your people is an oft forgotten metric when defining the success and measuring the progress of your offensive security strategy and program.

PlexTrac exists to help offensive teams become more efficient and effective so organizations can become more proactive and, ultimately, more mature. Check out our webinar series with Echelon Risk + Cyber to learn more about leveling up your offensive security game, and don’t miss the episode on Prioritizing Your People.  

Now let’s deep dive into effective strategies to ensure we’re taking care of the people that make the cyber world turn round.

Recruiting Top Cybersecurity Talent

There exists a delta between open job positions and skilled cybersecurity professionals to fill those positions. Some call it a skills shortage; some argue the positions require too much. Regardless of your position, the reality of the delta remains. Based on numerous news articles and sites like CyberSeek, a recruiting website for cybersecurity jobs in the U.S. funded by the Commerce Department, a large number of unfilled positions related to cyber security exist across the US. 

Recruiting individuals to join your team is a process that requires careful thought and consideration. If you haphazardly slap together some requirements into a job portal, flash a thumbs up to your human resources business partners, and release the job into the wild, you’ll end up with a bunch of interviews that burn out your team, frustrate everyone, and possibly miss out on quality candidates due to interview-fatigue.

Job Requirements

Creating job requirements that are meant to be the public facing advertisement for your openings is important. Finding the correct balance between using terminology that both clearly articulates the role’s day-to-day requirements while also ensuring requisite experience is plainly laid out is an art and a science. You have to place appropriate barriers on the role so as not to be overwhelmed by applicants who are not a good fit and at the same time not be so exclusive that your pool of applicants is limited beyond reason, causing you to lose out on quality people based on their perception of the role. 

Ensuring that your seasoned team members, as well as team leaders and managers, all have a say in creating job requirements is a good recipe for capturing a breadth of input and achieving a solid balance. I like to say, “it takes experts to hire experts.”

Your teammates will be a valuable asset to help during req creation. It is understandably difficult for HR professionals to quantify community involvement, passion, innovation, and teachability in this field just looking at a resume and LinkedIn bio. That is why it’s important to make writing job requirements a team effort.    

Communication

Ensuring the channels of communication are clear in every aspect of the process will ensure there are no missed opportunities, folks don’t fall through the cracks, and hiring managers and candidates are not blind-sided. Communication between HR and hiring managers should be established during the planning phase of the hiring process. It is also important to communicate with the people applying for roles. Good or bad or indifferent, it’s simply good form to communicate a status with candidates.   

Skills Match

Come up with an interviewing methodology that can quickly determine if those candidates have the requisite technical, communication, or other skills necessary for the job. Try not to hyper-focus on only one aspect, but also prioritize what skills matter in a hierarchical fashion. For certain roles, perhaps a gap in technical skills is not as detrimental if the candidate has demonstrable teachability or passion. However, for some roles even the most teachable and passionate candidates may be set up for failure if they do not have a baseline set of technical skills. Using varying position levels is helpful: having multiple requirements or having a skills range within a single requirement.

Onboarding in a Flash

Have. A. Plan.

Onboarding a new team member is more than just getting them their laptop and enrolling them in benefits and direct deposit (though these are all important things). The responsibility of onboarding new people does not end with the HR department. That may be where new employees begin, but getting them to your team and embedded, working, and a part of the culture rests on the team’s shoulders.

Crawl

Make sure new hires are enabled to get administratively situated rapidly. First impressions matter. And not the company’s impression of the interviewee but also the new employee’s impression of the company. The onboarding process sets the tone for how the employee perceives the company they’ve just hitched their wagon to. Having a process for administrative onboarding, getting access to systems, and ensuring they have the resources necessary to begin learning how to execute their tasks within the team goes a long way. Having a liaison/buddy/onboarding partner also really helps folks feel welcomed and ensures them they’re not bothering people with the normal questions that arise when starting any new position.

Walk

Getting people from “I just got hired” to “I’m a contributing member of the team” doesn’t happen overnight. After the initial administrative onboarding comes engagement with your offensive security practice. This is a time to have documentation, wiki’s, methodology docs, processes, etc. for them to peruse. However, I would caution you not to simply send a bunch of PDF’s or links, or just Slack them the internal wiki link and say, “Go read and I’ll check on you in a month.” These first weeks as a new team member are the time for shadowing: starting to process what they’ve read from the documentation and see how it is done during day-to-day operations. Left-seat, right-seat style operations, or even shoulder surfing, will allow new team members the chance to see how the proverbial sausage is made, in a real-world scenario. Perhaps this is the time to give them mini projects or pieces of a greater project that is headed by a more senior team member. Allow them to start working, but with less autonomy and more oversight (initially). 

Run

After a time of being gently introduced to tasks, it’s time for that baby bird to fly free. After proper scaffolding, start pulling back some of the heavy handed oversight and award autonomy to new hires. Ideally you’ve established expectations and helped them form a cadence for their roles. You now have a fully functional member of your offensive cybersecurity society. 

While it may seem like a lot of steps and processes, taking the time to properly onboard and orient new hires to the organization, your team, and their role will pay dividends in time saved later.

Investing in Your Cybersecurity People 

Your team is the lifeblood of your offensive security program. These are the  people who have institutional knowledge of your processes and drive value in how they use technology and/or provide services that support your offensive security team’s goals. You need to ensure they feel taken care of after the honeymoon is over.

Training

Cybersecurity, and offensive security, are a constantly changing and evolving landscape. To stay sharp, folks want to be engaged with challenging concepts that introduce new techniques or tools and show them ways to execute on their day jobs and add value. There are a lot of training providers out there that have a lot of different types of courses; establishing a training budget can go a long way to show your team members that you are serious about their personal and professional growth. Encouraging training, in both technical and job related areas of study—as well as other areas that can help them grow as corporate citizens or human beings—goes a long way to show them their value to your group. Also, establishing internal training sessions in which team members can showcase their own techniques and get a chance to train others is a great way to provide learning opportunities and foster team involvement.

Industry Conferences

Enabling your offensive security teams to attend industry conferences has multiple benefits. The teambuilding and comradery is a great morale booster, and the research that is presented or the techniques and tooling demonstrated at these events can provide a lot of inspiration to the team. Conferences can also be a good place to source talent. 

Avoiding Burnout and Retaining Talent

After you’ve hired them, trained them, and invested in their professional development, it’s important to establish work-life balance protocols. A good way to motivate people and show you genuinely want the best for them is investing money, time, and effort into things that solely benefit your people, outside of any value that can be directly tied to their professional presence.

Team Building Events

Bringing people together for team centric events, big and small, where the topic is not work does wonders. It also helps instill esprit de corps. You can bond and build trust, and reap much of the benefits derived from going to industry events, but on a smaller, more intimate scale.

Encouraging and Enabling Research

Offensive security teams that allow their staff time to explore and research new technologies with freedom, and without the burden of an expected work product, will reap the benefits of having happy and engaged experts on their team. When creativity and innovation are encouraged some really magical things can happen.

Providing Top Cover

One of the jobs that good leaders take on is to act as a go-between, and at times as a shield, for the team members under their purview. A good leader will try as much as possible to deflect nonsense and the distracting items that can come from above or adjacent. Never underestimate the importance of a good leader in keeping people happy, motivated, and at your organization for the long term. 

Time Off and Money

More of both. No, but really, normalize time away. People need to recharge, and it should be encouraged and enabled at all levels. 

The PlexTrac Solution

The PlexTrac platform can be used as an aid in measuring the maturity and efficacy of offensive security testing efforts and teams. It is designed to provide data on findings’ status, allow teams to collaborate effectively, and provide analytical insights into trends on the data derived from the testing efforts. 

PlexTrac is a force multiplier for offensive security programs. Book a demo to learn how PlexTrac can accelerate your path to maturity. 

Nick PopovichPlexTrac Hacker in ResidenceNick Popovich’s passion is learning and exploring technology ecosystems, and trying to find ways to utilize systems in unexpected ways. His career has focused on adversarial threat simulation, offensive and defensive security, and advanced technical security assessments. Nick’s mission is to help individuals and organizations involved with defensive security operations to have an opportunity to observe the mechanics and methods of the attackers they’re defending against, and to assist in realistically testing those defenses. He’s a lifelong learner and loves finding new ways to get under the hood of systems and networks. He is a father of three and a husband to one.