It is hard to find a security professional. It is even harder to manage them if you do not accept that they are slightly unconventional people at the first place. This is not to say anything negative about these individuals nor anybody’s managing skills, but to say that socially they are the highly analytical people (the “yellowest” in the social styles model) and therefore their way of thinking and interaction is slightly different. Plus, their job requires them to think and act differently.
I believe (and see) that the security professionals are simply brilliant and talented people. During the interview, they may call you “dude”; this will no doubt make you uncomfortable, but in this individual’s mind it is just a way of calling someone. One of the first things you have to realize that their brains are wired with numbers, algorithms, codes plus paranoia, which they use to keep themselves one step ahead of possible intruders. In your organization, the only people who will think similarly is your security (physical I mean). Therefore you have to acknowledge their mindset and their differences first.
Once you spot them and succeed to have them in your team, your challenge as their manager starts. Analytical thinkers are not expressive, but rather quiet individuals who are more comfortable in their own space. Security individuals are the ones who require even more space. So, the first rule to manage them is to give them a lot of space. Have a meeting with them, involve them in the decisions, set the objectives and leave them. Never, ever try to micromanage them and keep the nervous executives away from them. There are reasons why I am telling this: their minds work with to-dos, processes and data, in other words, they are task-oriented not people-oriented. Plus, they are already multitasking in their minds and trying to figure out how things (again, not people) interact with each other. Peeking over their shoulder or trying to pull them into too much interaction will cripple their minds and thus their progress.
Respect is the topmost personal value criterion for highly analytical people such as security professionals. They possess skills to define processes, analyze them, plan and they want to see respect for their actions, not praise. Keep your praises for expressive types. When you praise a security person with words “you did an excellent job, nobody can do it like you”, you will not receive the response you are looking for: he knows and he is sure that he has done an excellent job. Your words are causing “redundancy.” Show respect.
Another value for them is to share their information. You can learn a lot of things from them about security. To do their jobs properly, they are interacting with a lot of security professionals and they will bring this knowledge to your company. They can work, can prioritize and multitask under stress. To have their valuable contribution, you need to listen first. Security professionals prefer to be quiet, but when they speak, they want to be listened and they want to be respected. Cutting their sentences in half will make them refrain from speaking, because they will interpret this as disrespect, rather than a joyful contribution to a conversation (me and my wife: she always completes my sentences). Listen to them until they put the point in the sentence. Use what you learned from them to improve your processes and then value their contributions. You will be amazed with the results.
These people rarely come to you to ask for a tool/product to perform their jobs, and if they do, give it to them (with reasonable limits). If you cannot, explain them with facts and figures. The key point to keep in mind here is “rarely.” Rarely, because they are analyzing every feature of the tool before coming to you. Since analyzing is part of their natural behavior, they are already doing the work for you: spot the problem, define the need, see what you have, find the gaps between what you have and what you need, identify the tool, evaluate. Asking them why they need the tool just for challenging them will backfire. Ask them friendly, just to keep a friendly and open communication. On the other hand, you are asking them to think outside the conventional mind. Trying to squeeze them into conventional procedures and crippling their ability to try new things will come back and haunt you. Would you expect your security team to work with IT-approved products to combat with zero-day attacks?
Your security team members are interested in continuous improvement and personal development and growth. On the other hand, as all individuals, they have their own dreams, perceptions and important things in their lives. You need to engage with them at a personal level. Once they get to understand you and trust you, they will reveal themselves. To earn their respect, you have to spend a lot of personal, emotional time. And you have to do this sincerely; they will immediately spot insincerity, even before your first mimic. Sincerely recognize them, tell them how they contribute to the overall picture and of course reward them. Assist them with their personal qualities, they are interested in development. Arrange more and different trainings for them. If you have 10 trainings, make 8 technical and 2 social trainings. Although they will inevitably complain about social trainings, “being social” will challenge them and force them out of their comfort zone.
As you see, I did not speak about the environment, the snacks, salary etc. These items are lower in security professionals’ lists. Respect, sincere recognition, being valued, helping them grow are the most important things to keep your team and to keep them happy.