How to Build a Security Management Team

For many years, as I grew in the executive ranks of several companies, I heard that it was lonely at the top. Once you achieved the highest position in your department, people said, you were the leader responsible for all the make-or-break decisions and their consequences. At the same time, those people said, there was a need to tip your balance of responsibilities to a more strategic role, so that you could spend less time and energy being tactical.

This creates a taxing dilemma: How do you make all the decisions while still becoming more strategic? Spend more time on the job? Maybe. Some might say that’s why we CSOs get paid the big bucks.

Having found myself in that situation, however, I’ve been working on another approach: improving my team’s dynamics so that I can comfortably delegate more decisions, thus freeing myself up to focus on strategy. After all, being responsible for each and every decision is different from actually making each and every decision.

There’s an added bonus too. Especially for CSOs who manage a team of executives who oversee security in various and divergent functions of a major organization—for example, a leader who oversees both the IT security and physical security functions, or who directs physical security across diverse business channels—this approach can be rewarding not only for you but also for the rest of your team, because it allows them to participate in the decision-making process across a broad scope of the business.

Of course, it’s not easy building trust with the group and divorcing yourself from the day-to-day operations of the business. But after a solid year of working toward empowering my team, I’m finding that it’s starting to pay off. Here’s what I’ve learned so far.

Building the Team

The first task at hand is assembling a team, typically your direct reports or all management at a certain level. For example, my team consists of my direct reports (four) and all other director-level members of my department (four). For our purposes here, I’ll refer to this team as the Security Executive Team, or SET. As leaders, perhaps our most important focus is making sure that our top managers have a strong balance of hard and soft skills and are capable of decision making, communication and program execution without our direct intervention.

It is important that you establish the SET with a couple of critical points in mind. First, the SET must be responsible for setting the direction of the department and making all key decisions that affect any aspect of the department’s business—regardless of how divergent the organization that you support.

Second, you must establish some rules on how the SET and its members operate. This will be your first challenge as a team. Let me share with you some of the rules that we developed as a team in order to create clear expectations for our SET.

Rule 1: The SET is the directors’ primary team, period. It comes first and foremost, even above each of the directors’ own teams.

Rule 2: Every member has an equal voice at the table to ensure equality of participation.

Rule 3: All major topics and issues of the department must be discussed with the SET to seek collective input and avoid shallow decisions.

Rule 4: Decisions don’t require consensus, and members must learn to disagree and still commit to decisions once they are made.

Rule 5: The team will speak as a unified voice to the entire department and company.

Rule 6: Members of the SET will hold each other accountable for successfully implementing all decisions.

In addition, it must be understood that the department may need to comply with certain company initiatives regardless of what the SET might decide on its own. In these cases, you, the leader, will address the directives through the SET, not to gain consensus but to agree about the expectations and delivery of the directive. Also, in terms of conflict resolution, my team agreed that I would be the ultimate authority to arbitrate stalemates. (That’s why they pay me the big bucks, right?)

There have been a few times that I have had to make the final decision on a contentious issue, and members of the team have committed to it knowing that I made a decision only after hearing everyone’s opinion equally. For example, at one point we were arguing about the need to quantify performance in each of the business channels that we support, and the team was divided and passionate in their positions. Only after listening to an intense debate did I intervene to tip the scale and make the decision to use metrics in all areas, because of the company’s desire to integrate performance measurements in all areas of the business. I engaged the team members individually in front of their peers to ensure that they would commit to the decision. I think this made the team realize that their individual voices would be heard. The next time we debated, members were even more open to debate, realizing that a fair and equitable decision would be made.

Meeting Regularly

Once the expectations are clear, the SET should meet regularly, based on the demands of the business. Our SET meets every month for two full business days. And, yes, once the SET begins to debate all the business at hand and also to review the implementation of past decisions, you will need to set aside an appropriate amount of time. Two days a month may sound like a lot, especially if your team is geographically dispersed, but the payoff is that the rest of the month, you can count on the members of the SET to take care of the day-to-day business.

As the leader, you must publish an agenda for each meeting. (I recommend that you not assign times for each agenda item, because this can stifle team input.) Topics for the agenda should reflect the input solicited from all members. This is important—and difficult, because it requires all members of the SET to put items on the agenda that they normally would have decided on their own or with their own team. In a way, members must make themselves vulnerable, because decisions that may affect only them or their own business area may be made contrary to their own perspective. But it goes to the core of the SET—that it is the one team that sets the direction for the security department and makes all the key decisions.

There are bound to be some bumps in the beginning. In our case, until we became comfortable with each other as a team, members sometimes would make decisions on key issues in between our monthly SET meetings. As the leader, I would have to hold them accountable for having bypassed or broken our team rules. This was no fun, but it reinforced the need for everyone to bring all issues in front of the SET.

In a sense, team members do sacrifice a degree of decision-making ability. The trade-off or incentive is their ability to participate in and influence the broader security business. Initially, the decision making around what is appropriate to bring before the SET is challenging, but as each team member engages the broader team on issues, it becomes apparent what does and does not apply. Team members will even tell other team members in our SET meetings, “Thanks for bringing that up, but you can make that decision and let us know the results.” At this point, it is all about trusting each other to bring things to the table for the greater good, sacrificing some of your personal power in your own particular area and participating more significantly on the department level.

At the conclusion of each meeting, the team members review the minutes, then communicate the content to their departments and the business channels that they support. This follow-up communication flows nicely, since there is a unified voice from the SET. It reinforces the fact that the SET makes the decisions and that they are vetted thoroughly for the benefit of the entire department and organization.

When it’s all said and done—if everything goes well, that is—you will have created an environment where your key management team assembles regularly to debate and make decisions. As the leader, this means that you have effectively let go of the day-to-day minutiae of the security department and limited your focus. In my case, I have managed to narrow the time I spend on daily operations to the two days that my SET meets each month. Of course, I am free to insert myself more than that, either as my schedule allows or because of my interest in a topic. But I don’t have to get involved to count on things being done appropriately.

What does this mean? Now that this process is in place, I can move beyond the tactical. After all, this is what the organization really needs from the CSO: a focus on the long-term alignment and creative applications of the security mission with the direction of the business. Through this process, the CSO can effectively open up his or her calendar.

Also, I have found that a separate and welcome benefit of this team approach is that now I can periodically begin a SET meeting with a strategic topic. Having opened the door for my SET members to engage in unrestricted, constructive debate on key tactical issues, I can also sit back and enjoy the benefits of a strategic discussion, making use of collective team wisdom. n

CSO Undercover is written anonymously by a real CSO. Send feedback to

Undercover is written anonymously by a real CSO. Send feedback to

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)