Want to kill your IT security team? Put the top hacker in charge

Managing an IT department at the best of times can be a struggle, and managing a security team has its own special challenges.

But whatever you do, don't put an engineer, even your best, in charge, unless their people management skills are as good as their infosec knowhow.

“All my staff are basically volunteers,” Mike Murray, VP of intelligence for mobile security biz Lookout, told The Register this week. “The people are all so highly competent and completely in demand. I know any person on my team could have four jobs at the end of the day if they asked for it.”

Murray will be giving a talk on managing IT staff at the Las Vegas BSides security conference, and has over a decade’s worth of experience in managing these most picky of staff members. The biggest mistake he sees companies making is also one of the most common – finding the best team member and making them the boss.

The skill sets required to be a good security engineer bear very little relation to those needed for managing a department, but some businesses insist on following procedure. Appointing them boss, Murray said, almost always ends in failure.

Thankfully companies are now recognizing this, he said, and are running twin career tracks in IT security. Those who want to slip into a suit and manage can do so. There are also a lot of distinguished engineers making as much money as a VP and still getting down and dirty with security code.

For those managing security teams there are two key mistakes to avoid, Murray said. The first – an error he himself made early in his career – is to not manage enough and just trust that it’ll all work out. It’s tempting to think that such highly skilled individuals could work on their own, but guidance needs to be given.

The other mistake is to go too far in the other direction – to micromanage and go fully corporate. Nothing is going to get your staff demoralized and moving on like making them fill out timesheets, he said.

“It’s a different mindset – my people go home and code for fun. You don’t get a company accountant going home and doing spreadsheets for fun,” he said. “You need to let people get on with the job in a way that allows them to get the maximum amount done in an atmosphere in which they are most comfortable.”

One of the things you do have to get used to in managing security teams is that you’re no longer the smartest cookie in the room. Murray admitted that it has been at least seven years since he wrote a decent shellcode exploit and he expects his staff to be better than him.

However, you do need to have the basics down, he said. If a staffer is trying to tell you a two-day job could take a month, you need to have the tech chops to tell them they are bullshitting.

Staff aren’t transferable either, he said. Murray’s last job was doing IT security for GE Healthcare and he said that he didn’t bring any of his old staff with him. Likewise, he’d be unlikely to take Lookout staff with him at his next job, because security staff setups are individual to each company. ®