The ATO's secret to keeping its infosec staff engaged

With a tight labour market for skilled infosec professionals, many CISOs and IT managers are struggling to recruit and retain talented employees.

Leonard Kleinman.

The ATO’s solution to the situation, according to its senior director of vulnerability management and research Leonard Kleinman, has been to insource a number of key skills back into the organisation.

In a panel discussion at the AISA national conference in Melbourne last week, Kleinman said it was tougher for public sector agencies to retain skilled staff than counterparts in the private sector.

"In the current environment, no doubt it's a challenge [to recruit high-performers to the public sector]. It's a challenge for every one of us,” Kleinman said.

"But having said that, it's really a good opportunity for every one of us to try to be a bit more innovative or creative in how we attract and retain staff.”

Kleinman said the ATO’s response to the problem was to make the environment more interesting by developing internal capabilities in a number of areas that had previously been outsourced.

"The classic 'if you challenge them they will come'-type scenario. Make the work more interesting in that respect,” Kleinman said.

"I know some of the outsourcers out there might not like this, but what traditionally organisations have done is take the most interesting stuff – the forensics, the malware analysis type work – and outsourced it.

"So [we've] deliberately looked at bringing in and developing that capability. Our security testing services actually made the conscious decision to move from that outsourced model, bring it in and bring in the talent internally.”

Another important ingredient is having career pathways, including the ability to advance skills in certain roles, Kleinman said.

"We make sure there's a rotation within the work. You might be a responder, and then do some threat intel, and then you might go over to tools and development where you need knowledge as a sysadmin or a coder,” he said.

"And we found one of the great things about doing that is it increases your period of retention, because diversity and variety is what these people are looking for.”

Kleinman said the ATO started by developing those capabilities at the application level before expanding them to other areas.

“[We then went] right through to the network, and then in holistic red-team-like activities, they love that stuff.”

Australian Post’s head of information security governance Kristin Lyons agreed it was important to give employees the opportunity to work across different teams.

"Security resources tend to be the kind of people who want to keep learning, want to keep growing, want to keep finding more and more. And I think that's the sum of a high performing team,” Lyons said.

"We're always looking for opportunities for our resources to improve and learn in different types of opportunities.

"I think we're in a fortunate position in that regard to be able to provide people with quite a bit of scope to evolve, right through the innovation process, right through development, and the run of our products as well.”