Problem solve Get help with specific problems with your technologies, process and projects.

Use performance evaluations to strengthen your infosec staff

When resources are low you can't afford to carry dead weight. Use these evaluation best practices to keep your team lean and mean.

Whether you are an information security manager running a bare-bones crew or have the luxury of adequate staffing, you cannot afford to have a valuable slot occupied by someone who simply can't carry his weight. Properly rewarding high-performers and getting rid of dead weight require a systematic and consistent method of performance evaluation at the individual level. Here are three types of evaluations that, when properly and consistently applied, I've found to be quite helpful.

The Supervisor Evaluation

Though inconvenient to downright painful, providing individual evaluations with each direct report can be very productive. Discussing performance goals, training requirements, priorities, concerns, employee suggestions, strengths and weaknesses can provide valuable feedback for both you and your staff. Schedule adequate time with each staff member, and focus on the discussion. Forward your calls to voice mail, and let your staff member know that you are sincerely interested in helping him succeed.

Supervisor evaluations should be administered at least annually. To be optimally effective, you should revisit them quarterly to provide feedback to your staff on the progress or lack thereof that has been made to date. Evaluations that gather dust are little more than an exercise in red tape.


The Self Evaluation

These are sometimes difficult to evaluate, as employees may not view their performance on the same scale as you. However, while it is tempting to think that your staff members may inflate their own scores, it is quite common for them to be harder on themselves than you are. The best use of these evaluations is to see the relative comparison of scores from one category to another. For instance, if your evaluation of Jordan indicates that he has excellent technical skills and marginal communication skills, but Jordan ranks both qualities as good, you'll need to reconcile the difference. Find out why he believes his communications skills are good, and explain what about them you believe are marginal. As he begins to understand your criteria for scoring you will build a common base and more confidently identify goals on which you can both agree.

The Peer Evaluation

This tool can be very helpful, but tricky to balance. You must assure your staff that evaluations of their peers will remain anonymous and confidential. Then you must do everything in your power to see that they are! Failing to do so could irreparably damage your working relationship. However, when properly administered, peer evaluations provide tremendous insight into the otherwise hidden work habits of your staff. No matter how great your relationship with your staff, they will always be privy to information about each other of which you are ignorant.

Use a ranking system that forces objectivity into the evaluation. If you let each employee simply tell you "Rhonda is a great worker and a positive influence," you gain little. Instead, use instructions such as:

Rank the seven other members of the group according to:

  1. Technical knowledge
  2. Willingness to share information
  3. Fosters goodwill within the group

These answers may reveal patterns that can help you arrange assignments, tasks or even seating arrangements that are more conducive to success within your group.

What to do with the results?

So now you've performed some or all of these evaluations and have some benchmarks established. What do you do with the results? For the employee that is simply not contributing, you may need to simplify the goals for success. You must clearly communicate what is expected, what the results will be if he succeeds and what the results will be if he does not. Then you must follow through. Terminating an employee may be among the most difficult task you face as a manager, but allowing a non-productive employee to remain can have an ever-widening, negative influence on the whole group.

If you have someone who is talented, but difficult to work with, make consensus building a goal. If he doesn't secure cooperation, he doesn't succeed.

There is an upside to all of this as well. If you have a stellar performer you can more easily justify a bonus, raise or a promotion. These types of evaluations can add a degree of objectivity that, when combined with your personal evaluations, establish reliable, consistent records of each staff member.

Document it all

At the risk of dwelling on the obvious, I must state that as a manager you deal with employee information that must be protected against unauthorized disclosure. The legal, HR and privacy issues of manager-employee relations are substantial and should be strongly safeguarded.

Whether you have five direct reports or 55, remembering what you've said to each of them and when you said it is a pretty tall order. Document everything! Every conversation you have with your employees – good or bad – should be documented. Maintain a log (electronic or hard copy) that contains dated notes of each conversation you have with your direct reports. Don't wait until it is convenient. Document it right after your conversation, as it's too easy to forget details. You must be consistent with all of your direct reports. Inconsistent application could give rise to suspicions of favoritism or unfair targeting.

Consistency on your part will ultimately save you time and frustration. If you spend the time to use evaluation and documentation tools such as these, any actions you need to take will be more easily measured and you will have a more productive crew.

About the author
Mike Lamkin, CISSP, is the IT security manager of a Fortune 200 company based in Houston, Texas. Mike has been an IT security practitioner for the last seven years and has been in the IT industry for more than 27 years. Mike has spoken at seminars and conferences, conducted training and authored several articles on networking, security and related issues.

This was last published in October 2004

Dig Deeper on Security Awareness Training and Internal Threats-Information

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.