The mass movement in 2020 from the standard workplace to the remote office has forced companies to shift quickly, but what’s not so clear is what people’s roles and responsibilities should or will be as the new world of work emerges. As businesses shift their priorities and infrastructure, there is a natural cascade to the talent pool.
For businesses seeking a wholesale skills makeover, the temptation can be to go on a hiring spree to fill in existing gaps, and even to swap out existing staff for what may be perceived as “new blood.” Another option, however – a better one, according to Microsoft Canada Chief Security and Compliance Officer Kevin Magee – might be to “flip the skills discussion.”
Inside moves
“We think about attrition in terms of creating space for others to come in. But what about getting people to think, ‘I’ve had a cybersecurity career for 10 years; could I now move into another area, bringing my unique mindset and education to a new role?’ Or maybe if someone’s in sales and marketing, could they bring new perspectives to company security?”
Magee sees a paradigm shift taking place right now in which people are no longer tied to or defined by a single narrow job description. Instead, he said, they’re moving between initiatives and supervisors, and taking fuller advantage of their inborn and learned skills.
“Certain industries are having success with this approach,” he said. “In the automotive industry, security professionals are becoming plant supervisors. This works in the other direction as well. This is one example of flipping the discussion, going from hiring your way into the future to taking stock of what you have, and trying to build yourself from within.’”
Magee challenged business leaders to seek insights and intel from sources they wouldn’t normally associate in any way with cybersecurity. He told the story of one customer, a CISO of a major Canadian corporation, who informed Magee that he had begun to look to some of his front-liners in the “real world” for security intelligence.
“He has salespeople out there, maybe a bit light on the hard technical side, but with human intel – a real ear to the ground. These individuals often have sharp insights around human behaviour. Often these people can see what others, even cybersecurity gurus, cannot see.”
Uncommon sources
More and more business leaders, said Magee, are discovering that call center workers can give insights of supreme value to cybersecurity teams.
“These people are being attacked constantly. This gives them special knowledge about people, and makes them experts in social engineering. This had never occurred to me before, this idea of sales support staff being these great pools of security intelligence. But we’re in the age of the re-think now. Bad actors are sophisticated and trying new things. It only follows that we follow suit by ferreting out these uncommon sources of intelligence.”
Magee sees a link between these new cyber intel channels and Zero Trust, which is about tossing long-held assumptions and practices – making no assumptions whatsoever. The success of this approach depends in no small part on first shifting an organization’s mindset. “For many companies this will mean new faces around the table making key decisions.”
Magee trumpeted the value of tabletop exercises, of taking something cyber in the news headlines and walking through it, step by step, with different players in the organization. This, he said, is where voices old and new, from inside and outside the cyber “inner circle,” can yield new intel. Those involved in these exercises have the chance to exchange ideas and opinions around what could have been done differently or better.
Human factors
Magee sees different teams coming together in all matters cyber.
“Strong security today calls for a wide variety of skills beyond just hard technical. For example, if you feel ransomware is the greatest threat to your business, having people with a criminology or law enforcement background could really help you think through the associated risks, and to qualify and quantify the risk you’re facing.”
Magee said even companies with limited spending power can benefit.
“Your organization may not be big enough to have all these folks on your team. So then how do you get access to some of this expertise? Maybe you go ‘gig economy’ and look at freelancers, even for just a single project or task.”
While there will always be a need for experienced professionals, security decision-makers are in increasing numbers seeking help from outside technology. “Hackers are leveraging on human factors and emotions to do what they do; why not, then, do the same? Look for those people out there who know people – from this your security can only get better.”
For more on lessons learned from Microsoft’s SOC, visit:
- CISO Series: Lessons learned from the Microsoft SOC—Part 2a: Organizing people
- CISO Series: Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness
Microsoft is committed to supporting organizations in skilling. Throughout the month of March, sign up for the Microsoft Cloud Skills challenge where you can learn across all cloud solution areas and earn a free certification exam on us. Additionally, access the Microsoft Technical Content Library to explore learning content relevant to your role and experience level.