I have been intrigued by the recent dialogue surrounding how to keep security professionals up to date with the latest information. More specifically, identifying the skills that are critical for individuals to have as defined by their leadership to protect the business from future disaster. Everything from in-depth security best practices to software development skills to industry specific protocol and regional variations has been noted as important. My question to leadership is this: How have you assessed your security professionals’ decision-making abilities are based on these skills? How have you assessed that decisions will be made in line with security standards AND the vision and mission of your business? Companies spend a significant amount of investment dollars on recruiting the “right talent”, training them to have the “right skills” and enhancing security systems and practices to provide us with the “right protection”. But unless and until we assess the effectiveness of those investments, aren’t we leaving ourselves exposed to some degree? How are you assured that the training you provided will positively influence your security professionals’ ability to make the best decision before, during, and after a security attack? How are you assured that the training you provided will positively influence your security professionals’ ability to PREVENT a security attack? How are you assured that the security professional you hired will make a decision on security protocol with your company’s values taken into account as well as best practice? Many of us tend to rely on certifications which measure someone’s knowledge at a specific point in time and based on the latest “state of the art” practices and technology. However, in this social engineering era filled with constantly changing technology, this is key however more must be done.
Within our own company, one of our core competencies is developing knowledge based assessments so we decided to leverage that approach for our internal staff. Like many other companies, we have a unique technology environment that has unique vulnerabilities and defences. Because we do this for a living, we knew exactly how to create an assessment for our technology and security professionals customized by our internal content experts’ knowledge of our unique infrastructure. It allowed us to determine specific weaknesses in our staff and take educational steps to address identified gaps. This assessment not only gave us a baseline to measure our security team’s knowledge but it highlighted areas that require greater focus and training. Additionally, that same team was assessed on ensuring their decision-making was aligned with the company’s vision, mission and values. We found that using a test to improve business outcomes has had a positive impact on our financial performance as well as enhancing our outcomes.
When your security experts are making decisions that are aligned with your company’s vision, mission and values, they are achieving performance leadership. Testing how they apply the training they have received and their understanding of how to apply the company’s values in decisions, is the best insurance policy you can get.