Cast a Diverse Set of Players to Balance Your Information Security Team

As data breaches continue to impact some of the world’s most recognizable retail brands, consumers are acutely aware that some companies take data security obligations more seriously than others. As executives and boards of directors across the retail industry work to build their information security organizations, we’ve observed that many stop just short of where it matters most: their people. Organizations building effective IT security must design around the strengths of their team to achieve success.

We have observed that key information security leadership skills such as excellent communication, a thick skin, and an ability to shoulder the blame and offer explanations in times of cyberthreat typically come from one of three experience backgrounds. First, many come from a pure technical security background or are former federal government employees. Another large group of information security professionals rose through the ranks of the IT organization and adopted a focus on security later in their careers. And a third group has gained experience in information security from audit and compliance work. There is no “ideal” background for a well-suited information security leader—in our work, we’ve observed general strengths and development areas of leaders from each experience background. Nevertheless, it is key that organizations understand these attributes in the context of the security strategy they are working towards to be able to drive improved cybersecurity performance:

Leaders with a technical security background

  • Strengths: Those with a technical security background often have a detailed understanding of external threats and security controls. They frequently have a deep familiarity with specific vendors and knowledge of how to apply their tool sets as a best practice.
  • Development areas: These individuals are most effective when augmented with team members that can help them communicate to less technical audiences to sell a vision beyond FUD (fear, uncertainty, and doubt). This also helps them develop a business enablement mentality across the information security organization. The balance of risk and business enablement is an art and a science, and it’s incredibly easy to alienate business stakeholders without careful attention to putting IT security issues in the terms of their business.

Leaders with a general IT background

  • Strengths: These professionals often have more experience communicating value propositions and managing teams that enable the business. They understand what it’s like to run large infrastructure against a P&L and tend to have a more experience-based approach to information security initiative timelines and roadmaps.
  • Development areas: Surrounding a generalist IT leader with information security specialists can help provide the subject matter expertise needed to address new or developing security issues. The experts can help the leader quickly drive to the key decision points and wade through the abundance of vendors and information security tools that can make organizations more secure.

Leaders with an audit or compliance background

  • Strengths: Professionals with audit and compliance backgrounds have a deeply engrained ability to understand risk-based prioritization and business cases for regulatory change. Government and industry regulations can be complex and frequently create conflicting priorities. In this environment, process and governance skills are highly valuable.
  • Development areas: These leaders will be most effective when supported by a team that offers the security and IT domain knowledge needed to round out the information security function. In particular, make sure to pair this type of leader with front-line IT and security operations experience that can quickly pivot from the inspection mindset to managing a crisis.

Regardless of their technical and professional background, we’ve observed that many IT security professionals in the retail industry have a blind spot for the human side of security. By understanding these development areas and creating a diverse information security team with broad subject matter expertise and a commonly held curiosity and enthusiasm for IT security, organizations can mitigate these blind spots. In addition, companies will be equipped to instill a stronger security culture as a wider base of stakeholders connect with the broader experience and backgrounds of the security organization. Armed with an understanding of a balanced security team, retail organizations will be positioned to make meaningful strides on their security journey and instill trust and stronger relationships with consumers as their most critical stakeholders.