You have no firewalls. You have no encryption. There’s not a policy or procedure to be found. In fact, there’s very little in the way of “security” anywhere in the company. That’s ok! Because you’ve hired a highly-qualified security professional and stressed in the interview process that security is the new priority. That they will bring about a change in the enterprise and start a new era of a secure culture where everything is done with a security mindset. Sounds fantastic! The opportunity to mold a security program from the ground up with executive support. What security professional would pass up the opportunity to build and run a security program the way they’ve always dreamed?
The 30 days following this hire become crucial. What happens when the professional you hired to hit the ground running actually does it? They start building governance framework. They start getting vendors on the line and developing a relevant and cost-effective security stack. They draft a security training regimen. They do all the things necessary to start developing that framework you hired them to build. How do you respond to this?
The Best Way To Respond
The best possible thing you as a leader can do is to encourage this. Get out of their way. Provide guidance in the way of incorporating business strategy and business culture and let them do what you hired them to do. Give them feedback when asked. If the final product needs fine tuning in order to get full executive buy-in, then by all means! Polish away! Make the governance shiny and pretty and executive digestible. Make sure it fits within the overall strategy of the IT department and the corporate vision as a whole. You hired this individual because they were the best of the bunch and you had the confidence that they were up to the task. So let them take the task and give them the leeway to perform.
The Worst Way To Respond
Closing lines of communication. There is nothing worse in the security world than to see communications cease from your leadership. No comments on document drafts or replies to pricing quotes can make your newly hired security asset feel isolated. Furthermore, diminishing the role from what was advertised in the interview can be demoralizing. It can leave them feeling untrusted and frustrated. Hiring a highly-experienced security professional and taking their job down to that of an entry level analyst is, at the very least, insulting.
When it comes down to it, the lesson here is to not promise more in the interview than what you can really give. You can paint an optimistic view of your open position without setting unrealistic expectations. Be forthcoming with the challenges involved and transparent about what the journey ahead will look like. It sets the tone for their entire experience with your organization and can ultimately make the difference in whether or not they succeed… or stay.
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.