It was in 2003, before the famous security breaches of recent years, that Mike Maddison (left) was asked to establish a security function for satellite broadcaster BSkyB in the UK.
It had decided that as a FTSE 20 company, IT security was a required element and it needed someone to provide security and governance.
Reporting directly to the CFO, Maddison found he had a "complete green field" site to work with. As a start, he took the "classic approach" of understanding the degree of risk first, before deciding how to put together his security team.
Once he knew what he needed, Maddison recruited both internally and externally. "Initially, I began by looking at people doing the work anyway as part of their day job.
"I found out who was interested in doing it, and who had the talent and the capabilities." In particular, he was looking for a broad range of skills, not just technological, but regulatory and legal.
Externally, he looked to people he had worked with, and people he had heard of through word of mouth.
As well as subject area expertise and experience of change management, he had other criteria.
"I look for people with quality degrees and with a proven track of development - people who had taken ownership of their development."
Maddison says the degree subject didn't matter so much as its quality.
"I hired someone with a degree in law from Cambridge and someone with an engineering degree from Edinburgh." He believes degree quality shows whether someone is a "smart cookie" and whether they can learn.
He also looked for good communication skills and business-facing capabilities, not just excellence at implementing technology. "I needed people with business polish, people who could go into meetings, put across ideas and talk in terms the business understands."
To convince people to join (and stay), Maddison used BSkyB's infrastructure and his own management techniques, including a competitive package, a company vision that made people feel they would be somewhere where they would make a difference - and dedication to career development.
Training packages were tailored to each individual, with employees developing the plan themselves. Graduates and lower grades can train for "a raft of qualifications".
It took six months for Maddison to get 80 per cent of his team in place, since he refused to sacrifice quality for speed.
Indeed, he says maintaining quality can be a challenge, because security is very much in demand and there's a limited pool of people to draw on.
So he put succession plans in place in case anyone felt motivated to leave - and didn't try to stop them. "Security is like audit was ten years ago.
It was niche and dead end and now people recognise it's a good place to develop individuals. Sometimes, it's okay to move on and have a career."
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
