olly - Fotolia

Manage Learn to apply best practices and optimize your operations.

How to handle a problematic cybersecurity expert on your team

Sometimes hiring a cybersecurity expert to help your security team isn't all it's cracked up to be. Expert Mike O. Villegas explains what CISOs should do when this happens.

Some organizations are reluctant to work with so-called cybersecurity experts because they occasionally have a...

high and mighty attitude about security, and enterprise users as well as management are turned off by what they view as condescension and patronization from these experts. Security consultants who consider themselves experts may look down on the internal enterprise security teams, and that creates friction in the working relationship.

This tip looks at ways CISOs can smooth over the relationship between cybersecurity experts -- both internal and third party -- and the rest of the enterprise. What can CISOs do to help transfer knowledge and actionable advice from these experts to enterprise users and executives in a way that's more agreeable for the audience? What's the right approach to dealing with people who don't know what they don't know? Should CISOs recommend some kind of interpersonal communications training or soft skills development for cybersecurity experts?

Cybersecurity experts are subject matter experts (SMEs) who provide specialized insight on a topic that others find wanting. Invaluable as their advice might be, occasionally, the temperament and attitude of these experts are condescending, patronizing and offensive. Clients or employers put up with the attitude and discount it as a character flaw, but allowing it to continue disrupts working relationships and possibly the effectiveness of project for which the cybersecurity expert was hired.

Unfortunately, these individuals are thrust upon a group because the cybersecurity expert did not reflect any character and temperament issues during the consultant interview process, is a member of a group already contracted to perform a larger project, or is a highly experienced employee or cybersecurity expert assigned to the project

Regardless of how this person has now become part of your project, the CISO needs to take steps to mitigate any ill will and foster teamwork since it is the CISO's responsibility to mend and instill better working relationships between company personnel and potential prima donnas.

Set the ground rules

Before things get out of hand, set the ground rules in reporting, making recommendations, identifying inefficiencies, inaccuracies or insufficiencies and providing guidance.

Recommendations for the cybersecurity program are just that -- recommendations. The cybersecurity expert can bring them up as appropriate but the decision to deploy should be based on consensus or at best by management personnel in charge

When it comes to identifying inefficiencies, inaccuracies or insufficiencies, not all project team members will agree on everything -- this includes the cybersecurity expert. If the decision is made contrary to the SME's view point, she should never belittle, undermine or disrespect the ultimate decision made.

Providing guidance is the essence of the value the cybersecurity expert brings to the table. Her job is to guide the project team members to pragmatic solutions or directions to help the project team accomplish its goals.

There are several dynamics occurring here. The cybersecurity expert may very well be right in her observations for cybersecurity or even compliance. But unless the cybersecurity expert is performing the HIPAA or PCI DSS certification, she should document this view point, make it part of the project documentation and ensure that steps taken against her recommendation are documented as strictly based on a business decision. This protects the cybersecurity expert and allows the project to move forward. Conversely, project management should not tolerate intransigence. That can be more disruptive than it is worth.

Establish reporting structure

Everyone reports to someone. Even the CEO is accountable to company stakeholders. Cybersecurity experts need to understand who they report to and, just as important, who does not report to them. The expert should not be directing the group or others to project tasks or deliverables. That should be done by the project manager. This allows the project manager to control the project and allay concerns of staff or project members that might arise from the expert's comments or mistreatments.

Set clear expectations

Ensure the cybersecurity expert and the team know the goals, deliverables and timelines for the project. Deviations, no matter how noteworthy, should be formally entered into the current project with management approval or put aside for another initiative at a later time. Do not allow the cybersecurity expert to deviate from the project or cause delays or ill feelings due to self-glorification.

Are cybersecurity experts worth the hassle?

What effect does this expert have on the morale of the cybersecurity staff? Are any of them leaving the company because of him? How much time are you and the cybersecurity staff spending with the cybersecurity expert because of this behavior? Is this expert the only one who can handle the project assignment?

Are these cybersecurity experts worth keeping? Undoubtedly, but no one is irreplaceable. The CISO should do everything he can to build a working relationship with the cybersecurity expert and staff. To be fair, the expert may be reacting to what he perceives to be incompetence, but there is no excuse for condescension or patronization. She needs to respect and abide by the same professional standards as everyone. Organizations should explore options for communication training or soft skills development for their cybersecurity experts. Do not wait too long to confront this issue and expect it will be remediated.

Next Steps

Learn the pros and cons of hiring an ex-hacker

Discover how a new CISO can overcome the challenges of the new role

Find out how cybersecurity and legal teams can be besties

This was last published in September 2016

Dig Deeper on Information security program management