Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Want to kill your IT security team? Put the top hacker in charge

BSides spills the beans on how to manage white hats at work

Managing an IT department at the best of times can be a struggle, and managing a security team has its own special challenges.

But whatever you do, don't put an engineer, even your best, in charge, unless their people management skills are as good as their infosec knowhow.

“All my staff are basically volunteers,” Mike Murray, VP of intelligence for mobile security biz Lookout, told The Register this week. “The people are all so highly competent and completely in demand. I know any person on my team could have four jobs at the end of the day if they asked for it.”

Murray will be giving a talk on managing IT staff at the Las Vegas BSides security conference, and has over a decade’s worth of experience in managing these most picky of staff members. The biggest mistake he sees companies making is also one of the most common – finding the best team member and making them the boss.

The skill sets required to be a good security engineer bear very little relation to those needed for managing a department, but some businesses insist on following procedure. Appointing them boss, Murray said, almost always ends in failure.

Thankfully companies are now recognizing this, he said, and are running twin career tracks in IT security. Those who want to slip into a suit and manage can do so. There are also a lot of distinguished engineers making as much money as a VP and still getting down and dirty with security code.

For those managing security teams there are two key mistakes to avoid, Murray said. The first – an error he himself made early in his career – is to not manage enough and just trust that it’ll all work out. It’s tempting to think that such highly skilled individuals could work on their own, but guidance needs to be given.

The other mistake is to go too far in the other direction – to micromanage and go fully corporate. Nothing is going to get your staff demoralized and moving on like making them fill out timesheets, he said.

“It’s a different mindset – my people go home and code for fun. You don’t get a company accountant going home and doing spreadsheets for fun,” he said. “You need to let people get on with the job in a way that allows them to get the maximum amount done in an atmosphere in which they are most comfortable.”

One of the things you do have to get used to in managing security teams is that you’re no longer the smartest cookie in the room. Murray admitted that it has been at least seven years since he wrote a decent shellcode exploit and he expects his staff to be better than him.

However, you do need to have the basics down, he said. If a staffer is trying to tell you a two-day job could take a month, you need to have the tech chops to tell them they are bullshitting.

Staff aren’t transferable either, he said. Murray’s last job was doing IT security for GE Healthcare and he said that he didn’t bring any of his old staff with him. Likewise, he’d be unlikely to take Lookout staff with him at his next job, because security staff setups are individual to each company. ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like