2. Give them the tools they want within reason
"There's no perfect [security] tool that everybody loves," says Rob Westervelt, information security analyst at IDC. "It's what they feel comfortable using." But too many tools can get expensive and be disruptive to the team's workflow.
At First Financial Bank in Cincinnati, "we try to keep no' out of our vocabularies when it comes to new products," says Dan Polly, vice president and enterprise information security officer. Polly, along with Brad Stroeh, vice president of network and security services, lead two groups that make up the bank's incident response team. "We really encourage people to try to abandon their conventional wisdom, and we allow experimentation to occur within reason."
To help keep under control the number of tools his team used, Borandi introduced a caveat — those who bring in new tools are responsible for their maintenance and upgrades. "With the maintenance cycle associated with it, they got very efficient" at selecting only the most essential tools, he says.
3. Listen to ideas and value their knowledge
Incident response team members want to have an impact on the company beyond their daily responsibilities, Gadsby says. "So I focus on really understanding that these people have a lot to contribute." This requires being a good listener.
"You can learn a ton about risk from your response team," she says. In addition to their deep technical knowledge, "they have the latest in cyber intelligence, and they're often very deeply embedded in the security community, which brings valuable relationships to the company. They can contribute to the [company's] larger security story outside of just the response team. They value being able to give that input."
Gadsby also treats incident response team members as business consultants when it comes to planning and making decisions on future technologies or product development. "Most importantly, take their input and use it to evolve processes," she says. "Your incident response people are expert multitaskers, and they understand how to prioritize under pressure. Use that knowledge to improve your incident response process and your overall security story."
4. Keep incentives fresh
"Understanding the incentives of people in high demand areas is really difficult," Polly says. "You have to be very tuned in with each employee and understand what's important in their life," both inside and outside of the office. "It's very personal. [Over time] you exhaust your techniques."
To that end, Polly and Stroeh make sure they're physically present at the office with their teams. "We try to stay very engaged with the people we work with," Stroeh says. About a dozen security pros, most in their 30s and 40s, make up both teams. "It's a huge time commitment, but you have to be able to spend that emotional capital with those teams and make them feel good about what they're doing," as well as find new ways to motivate them.
Sign up for CIO Asia eNewsletters.