In the cybersecurity industry, the focus of every managed security service provider is to reduce the time to detect a breach and remediate it. According to the last McAfee Incident Response survey, only 29% of respondents report a remediation time of two to seven days while the others report much larger delays. When we ask them what could be the biggest impediment to incident response efforts, 65% of the respondents mention the lack of skilled and well-managed personnel.
There are a ton of hipster management methods around that promise great results in terms of motivation and performance. I tried some. There are also good certification businesses behind all that stuff. At the end of the day, while you can still extract a lot of interesting things from them, you can’t learn how to deal with social complexity using a locked framework. The good news is that you can find all the answers you need just by questioning yourself and by honestly taking care of the people and the system around you.
I identified five interesting management practices and tricks that helped us, at Kudelski Security, handling social complexity while providing high end results. Most of them are inspired by agile methodologies like Scrum, Management 3.0, Systemic Organizations, plus common sense. The purpose of this article is to share those practices, encourage you to test them, and get your feedback on the topic.
Hire the right people
We mentioned it’s hard to find skilled experts around. Our field is in perpetual evolution and the needed skill set also. We all know the hiring process is critical and mistakes in this process could cost you your business. So, what do you want to do to reduce this risk? From my point of view, as soon as a candidate is truly interested by your business, has the basic required knowledge, and, most important, has a positive energy with a can-do attitude that will fit your team in place in terms of personality, you could be in front of your future ideal colleague. The other points are just bonuses.
Also, don’t let toxic players stay too long in your team if they don’t want to play the game in place. Not everyone can fit your culture and as a leader it’s your role to take this kind of decision to preserve the people and the system around you.
Choose your framework
You hired the good people, you now want to find a good framework for your team. Individuals rarely auto-organize themselves without some guidelines and there is a high chance they won’t feel satisfied in a non-structured environment. It may sound weird to say that, but I have seen many places without clear project methodology or guidance and you don’t want that if you are looking for results and happiness. On the other hand, I would recommend choosing the method that suits your team and context and stick to it with firm discipline.
Discipline doesn’t mean your framework will not evolve or that it will constrain people. You just want to put in place a set of rules with a clear direction and objectives and let your team organize themselves inside this framework. The process in place should be lightweight. We just want it to serve our people and our system, not to slow them down. As a product owner working with developers in a fast-paced environment, we choose to use Scrum with two week sprints as our core methodology. It’s adapted to our context, lightweight and effective while ensuring large autonomy for team members.
Measure your system and adapt it
Scrum is also great as you can play with it and add some good practices around the method to make it fit your needs and reality. You can iteratively build with your team a strong definition of done (DoD) to therefore ensure a better estimation process while boosting your code quality, adding extreme programming practices (XP). You can improve everything, and you want to do it. Just keep in mind that the improvements should be not too frequent, they should be motivated by measured facts or needs, and don’t forget that you should be disciplined and stick to your process when you find something that works. In the Scrum case we are lucky, you can inspect everything using KPIs like the burndown chart, the velocity, or the release burndown to collect facts. We even have a cute, useful, and funny tool called TeamMood to measure our team happiness!
Your company is generally not only composed by your team. You are working in a living system with real human individuals, not resources on a dashboard. It’s great to try to know them better and understand what they are doing. With a better global social understanding of your system and good knowledge sharing, you will be able to reduce the unknown that naturally creates a silo effect and a propensity to conflicts while generating great collaboration opportunities. You will also reduce the risk of bad choices if you can involve in your decision some external selected people that will bring a fresh view on your ideas.
At Kudelski Security, we are always trying to reduce the gap between people and gain benefit from their skills and experiences while being more efficient. A good example of that is the DevOps culture we have between our development and infrastructure teams. We really want to act as an entity integrated in a single methodological framework and we are close to achieve this goal which is a real challenge.
I won’t reinvent the wheel here as everything has already been said about leadership. Still, I assume that it must be remembered that you cannot act only as a manager. You must be a leader for your team and for me that mainly means being authentic and available for them. You trust your colleague, so you give them responsibilities. You also take care of always providing the “Why” while letting them manage their planning and work style on their own. Finally, you’ll make sure they can sometimes work on their own suggested topics and as soon as possible, free them from the corporate routine by sharing a drink or any other cool outside team building event.
Sometimes our industry tends to forget that people are still making a huge difference in our field. We also need to consider the fact that skills and performance can only emerge in an appropriate environment. Based on my experience, a happy and motivated team is always more efficient than a simple suite of super skilled experts. They will also stay longer in the company. As a CISO who wants to reduce time to remediation or as a leader who wants to succeed in his business, you should take the chance to think about social complexity and happiness at work as a top priority.