Security Experts:

How to Spot an Effective Security Practitioner

By understanding what makes a great security practitioner, organizations can learn how to recruit and retain effective security practitioners

In my previous column, I discussed how security professionals can recognize the warning signs and spot ineffective security practitioners. In response to my column, an interesting dialogue on social media ensued, with extremely poignant insights from a few effective security practitioners. Engagement and dialogue is, in and of itself, a great outcome in response to a piece of writing. In addition to that, there was also a request to write from the opposite perspective - what makes an effective security practitioner.

I thought that was a great suggestion. So, as requested, here are my thoughts on seven traits that effective security practitioners exhibit:

● Selfless: The best security practitioners aren’t worried about themselves, their careers, what people will think of them, or what is and is not in their job description. Instead, they look out for team members and do what is best for the security organization and the enterprise. This behavior does not go unnoticed - the good security professionals I know see and appreciate it. The result is that what is best for the team is also generally best for the individual.

● Good listener: As far as I am aware, the human brain is not capable of speaking and listening at the same time. As a result, people who speak a lot and/or dominate in a spoken forum often have a listening deficit as a result. Great security practitioners listen more than they speak.  This allows them to truly understand the issues and challenges at hand, process them, analyze them, and then offer insightful and helpful suggestions and ways forward.

● Introspective: The author Bertrand Russell wrote in 1933 that “The fundamental cause of the trouble is that in the modern world the stupid are cocksure while the intelligent are full of doubt.” The most talented security professionals I’ve worked with over the course of my career were incredibly introspective. They were always analyzing and re-analyzing events to understand if they could have handled them better, behaved differently, or led the efforts in a different direction. The result is a near constant course correction that leads them in a better direction security wise.

Security Practitioner

● Credits others: Some people take credit for everything that goes right and blame others for everything that goes wrong. Not an effective security practitioner. They take the blame when mistakes are made and work to rectify those mistakes and improve the state of affairs.  When things go well, those same practitioners give all of the credit to the team. As you can imagine, this builds confidence in and loyalty among other security practitioners. That, in turn, motivates them such that they produce higher quality work.

● Collaborative: Improving the security posture of the organization and elevating the level of the security team as a whole both require working collaboratively within the team and with the business, executives, and other stakeholders. This is where the best practitioners excel - building bridges, relationships, and trust across organizational boundaries. This benefits the enterprise as a whole and makes the state of security within the enterprise much stronger.

● Communicative: Whereas weaker and more ineffective contributors seek to control the narrative and the flow of information, stronger and more effective contributors do not. When a security professional is operating above the board, they need not fear openness, transparency, and straightforwardness. As a result, the top professionals are often quite communicative.  This makes it easy to understand where they are, where they are going, and what the plan is to get there. As you can imagine, this openness, coupled with a receptiveness to feedback and an ability to make adjustments around the direction make for a much better security state overall.

● Delivers: Talk is cheap. Actions speak louder than words. At the end of the day, no matter what has been said, promised, or touted, for a security practitioner to be effective, they need to deliver results. Actual results that is, and not fluff. The discerning, trained, and experienced eye will be able to tell the difference quite quickly. The most effective security practitioners deliver quality results consistently. Other talented and effective practitioners will stand up and take notice of this.

Not surprisingly, great security organizations are made up of great security practitioners.  By understanding what makes a great security practitioner, organizations can learn how to recruit and retain effective security practitioners.  This will allow them to maximize effective practitioners on the security team while minimizing ineffective ones. This, in turn, is an important tool for overall team success and an improved security posture.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently Director of Product Management at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.