March 7, 2012
Last Friday, after a long week of RSA conference events and meetings, I eagerly looked forward to slipping on my headphones and enjoying the relative silence of my flight back to Dallas. As I approached my seat, I saw I was sitting next to a United States Air Force (USAF) officer. I looked at his rank and saw two stars on his uniform, making him a major general. I had a sudden sense of nostalgia and I instinctively wanted to salute him. I resisted the urge, introduced myself, and thanked him for his service.
Over the next two hours I had the most unexpected and fascinating conversation of my RSA week. It turned out that my fellow traveler is the commanding officer of the Air Force Research Laboratory (AFRL). According to the website, the AFRL is “the Air Force’s only organization wholly dedicated to leading the discovery, development, and integration of war fighting technologies for our air, space, and cyberspace forces.” We discussed a variety of open source topics, including electromagnetic pulse weapons, cyberweapons, Stuxnet, unmanned aerial vehicles, USAF renewable energy initiatives, as well as national policy.
We also discussed some of the challenges he faces, including the retention of research and development staff. Without R&D, the AFRL’s mission fails. The USAF cannot compete with the salaries of private-sector researchers and must seek alternative ways to retain and motivate the talent. First, heavy emphasis is placed on recognizing and awarding staff for research excellence. This creates a sense of pride and accomplishment. Second, the very nature of the AFRL mission motivates researchers. These scientists have the ability to directly affect USAF operations and, in many cases, save lives. What a powerful motivator!
There are parallels for security and risk professionals. The retention and motivation of staff is critical for organizations. I am currently conducting research interviews for a report on the security architect role; a recurring theme is that bringing security architects into organizations is a challenge. There is a shortage of candidates with both the business acumen and technical skills necessary to be successful. To recruit and retain these individuals, you must think beyond salaries. Financial compensation is a key component, of course, but what else does your organization have to offer? Can you follow the AFRL model? How will you enable employees to thrive and accomplish their goals? Stay tuned — I will discuss this in much greater detail when my next report on security architects is released in April.