Target Corp. experienced a serious system breach in 2013, introduced through an inadequately protected downstream supplier in what has become a textbook case of a hack to avoid. Tim Crothers had worked at General Electric Corp. He is the man who came aboard two years ago as Senior Director of Cybersecurity to steer the team that’s mounting defenses to keep Target’s cyberspace secure.
Tim is a seasoned security leader with over 20 years’ experience building and running information security programs, large and complex incident response engagements, and threat and vulnerability assessments. He has deep experience in cyber-threat intelligence, reverse engineering, and computer forensics. He is a recognized thought leader and author/co-author of 14 books to date as well as regular training and speaking engagements at information security conferences.
“I’m here to make sure 2013 never happens again,” the keynoter said as he took the stage to make his presentation How to Attract and Retain Cyber Talent.
Big name breaches in big name companies using top technology are still getting hacked, he said. If this is so, who is doing cyber security right, he asked? He pointed to Lockheed-Martin’s internal team, stating that it’s the team that makes the difference.
“I’m passionate about finding skilled team members.” Crothers heads up a team of 70 people who work in cyber security at Target. His blueprint for building a team of professionals has four objectives.
The first step in building a cyber security team is defining goals and objectives – what is the team’s mission? Metrics and measurement also are critical, and to that end, Crothers said he’s adopted Six Sigma standards of lean efficiency.
Developing the program is Crothers’ next step, and he bases it on three pillars. His program is intelligence driven, detection oriented, and it embraces the goal of continuous improvement. He cited Red Team testing – staging adversarial attacks of his team by skilled friendly hackers in drills to challenge preparedness when they’re confronted with a prospective incident. The Target team is considered the Blue Team, representing the entity getting hacked.
“The Red Team tests the Blue Team each week,” he said. “It spurred healthy competition between the teams (made up of) highly motivated, highly skilled folks.” Crothers said he discovered that his people sometimes worked on weekends, devising challenges or defenses for use in the competition. These are people who want to learn and who engage tirelessly in security-related conversations with peers.
Ongoing professional development is the key to keep cyber security professionals engaged. He structures three levels of personnel in his hiring process. Level One, entry level, are individuals who demonstrate desire and aptitude for cyber security work. Level Two hires need to have some security work experience, plus strong desire to perform the work. Level Three members make up the core of the security team. They must demonstrate mastery of highly technical skills and also want to mentor others who are working their way up to join Level Three.
Crothers was emphatic as he said, “Cyber security is a team sport. There are no prima donnas (on the Target team).”
He says that most skilled security people rank pay fourth in their job ranking scale. The magic ingredient that keeps highly talented, highly experienced people at Target is something Crothers calls care and feeding. At any given time, he said he wants 20% of his team working diligently on skill development, an employee deployment ratio that gets him pushback from HR.
Crothers’ concept of care and feeding for his team focuses on skill development at public security conferences and internal workshops, reinforced by certifications. Friendly competition, hard challenges, clear expectations, team work and recognition all combine to create culture.
He develops rigorous tests that are so difficult and complex that no one can answer all the questions. His purpose there is to determine how well people work under pressure. Topics cover network analysis, incident investigation, and general information security issues. He includes a long list of technical tools and software utilities, as well.
Challenges are motivating, he says, adding that there are two per month, each two to four hours long.
Robust cyber security relies on well-trained people who continuously work to stay up to date in a highly changing environment. He says the added benefit for Target from ongoing training is employee retention in a highly mobile career sector.
“Making an investment in people makes them not want to turn over.”