Seven strategies for building a great security team

The dangers of a dysfunctional security team are easy to imagine, ranging from difficulty attracting and retaining talent to putting your organization at risk. These seven steps can make a world of difference.

intro crew highly effective teams rowing
Getty Images

Brennan P. Baybeck lists building a successful team as one of his top responsibilities as a CISO.

“If you surround yourself with great people, make sure they’re successful and have what they need—the training, the budget, the right headcount—then great security comes along,” he says. “But if you don’t put that focus on your team, it’s not going to happen.”

That focus requires great development resources as well as career planning and direction so team members can best build their skills, says Baybeck, vice president and CISO of Customer Services at Oracle Corp. Successful teams also need great managers, adequate resources, and the right mix of responsibilities

Without all that, security suffers.

“An unhappy security team will result in infighting, unhappiness, and aggression,” according to the Forrester report Fix Toxic Security Culture Before It Kills Your Innovation. “Not only will this cultivate an unpleasant environment, but it also has the potential to ruin your security team’s reputation, undermine your team’s integrity, and put your organization at risk.”

What, exactly, can CISOs do to counteract such as scenario? Here, Baybeck and others offer seven strategies to build a great security team:

Accelerate career advancement

The annual performance review is a corporate standard, but CISOs who want to retain talent and maximize their staffers’ expertise should schedule reviews more frequently, says Nick Rowe, who as COO for NCC Group North America is responsible for the firm’s security consulting business.

“Traditional review cycles don’t make sense in a fast-paced world like infosec, particularly for junior members of your teams,” he says.

Security workers are constantly adding new skills as they keep pace with professional and enterprise demands, with junior professionals often advancing at a particularly rapid clip as they mature into their positions.

As a result, security workers hone their expertise—and thus their marketability—at a much faster pace than employees in other enterprise departments that don’t have the same constant evolution of skills, technologies, and requirements that the security profession does.

That’s why, Rowe explains, CISOs should recognize their team members’ speedy development with promotions, re-assignments, and raises.

Create a supporting cast

Strong security teams need more than cybersecurity positions; they also need supporting roles such as business operations experts, recruiters, and project managers, Baybeck says.

And he believes it’s strategic to carve out those roles and hire professionals skilled in those areas rather than ask security professionals to divert their attention from their core work to handle those tasks.

He himself has seen the value in this approach, having “pulled out responsibilities from people who shouldn’t have had them” and hiring staff to take on project management and operations management instead. He says that move gave his team time back to focus on their main security work.

“Security risk management is a never-ending stream of things happening, so getting [your security team] the help they need, whether through existing corporate resources or by investing in new resources, helps them be the most productive they can,” Baybeck says, adding that investing in automation and process improvement helps boost team efficiency and productivity, too.

Create teams that better reflect the overall population

“A diverse cybersecurity team maximizes an organization’s ability to bring innovation into its efforts and acts as a force multiplier for a company’s capacity to combat digital threats,” according to the 2020 The Business Value of a Diverse InfoSec Team report from the Institute of Critical Infrastructure Technology (ICIT), noting that leading CISOs see “diversity as both a competitive advantage and a solution to the growing talent shortage.”

Baybeck agrees.

“If you’re looking for the same type of people that we’ve had for the past 25 years, you won’t be successful in the current environment or in the future. You need different points of view, different experiences,” says Baybeck, a board member with the IT governance association ISACA.

Baybeck says he’s working to create more diversity on his team by taking specific steps, such as requiring recruiters to cast a wide net for candidates, writing job descriptions designed to attract a wider pool of potential applicants, and partnering with a range of organizations to broaden his reach.

Jinan Budge, principal analyst with Forrester and co-author of its team toxicity report, says other CISOs who are diversifying their teams are taking a similar approach.

“They have targets for a diverse pipeline of candidates, and they have hiring panels that are also diverse,” she says. That work creates more innovative and creative teams “because you’re better able to look at the multitude of issues in cybersecurity and dive into things we haven’t dived into before and change how we think about some of our security problems.”

Hire for, and cultivate, nontechnical skills

The strongest security teams are comprised of team members with a diverse set of skills, says Deborah Golden, a principal at Deloitte & Touche LLP and the US Cyber & Strategic Risk leader for Deloitte Risk & Financial Advisory.

“Having the same people with the same thinking trying to solve problems isn’t going to get you want you want. You need to have many different types of disciplines to [best address] the complexity of cyberattacks and the complexity of business,” she says.

Golden has proof this works. She has team members with liberal arts backgrounds, including English majors, archeologists, and political scientists. It was one such employee—one with political science experience—who surfaced data protection issues related to international laws that others on the team hadn’t addressed on one particular security initiative.

Clar Rosso, CEO of (ISC)2, a security training and professional association, similarly advises CISOs to hire workers for their analytical, critical, and creative thinking capabilities as well as their problem-solving skills—or cultivate those skills in their existing staff—in addition to hiring and training workers for security and technical expertise.

Cyber professionals themselves agree, listing analytical thinking, problem-solving, critical thinking, the ability to work both independently and in a team, and creativity as the most important soft skills to have, according to (ISC)2  2021 Cybersecurity Career Pursuers Study: A Roadmap to Building Resilient Cybersecurity Teams.

“Research shows that diverse teams work better because you don’t end up with group think. Diverse teams bring different ideas to the table to solve problems and, with threats in cybersecurity so dynamic, that’s critical,” Rosso says.

Build strong, resilient team players

Training is critical for cybersecurity professionals to keep up with the rapidly evolving demands of their job. There’s no debate there. In fact, 91% of the 489 cybersecurity professionals surveyed for The Life and Times of Cybersecurity Professionals 2021, a report from the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG), agreed that keeping up with their skills is critical for protecting their organizations. However, 59% said job requirements often get in the way.

Report authors issued a warning for CISOs on this point: “This training gap is quietly increasing cyber risks at your organization. To address this directly, CISOs must push the organization, ensuring that ample training time and resources are built into every member of the cybersecurity staff’s schedule on a continual basis.”

In addition to conventional training programs, Rosso advises CISOs to implement rotational programs where they have their workers cycle through different positions in six- to eight-week stretches. This gives workers opportunities to learn or hone different skills, which strengthens the team overall. At the same time, it can help prevent burnout by providing a diversity of tasks and varying the intensity of work.

Rosso acknowledges that CISOs with smaller teams may have a hard time implementing such a program; for those teams, she suggests CISOs create “fractional” roles within security and filled by workers from other departments, such as legal or risk, who can lend and share their expertise on relevant security initiatives.

Show your team the mission

Big tech and startup companies have reputations for creating visions that inspire their workers and bring them together to drive toward common goals. CISOs should cultivate a similar culture by focusing their teams on the organization’s mission and its overall objectives.

“You need to build a culture and purpose; there needs to be a reason for the security organization,” Rowe says. “It’s important to speak to that. As security professionals, we do [security] because we like it, but we’re also doing it because we want to make a difference.”

Workers themselves seem to share that perspective: According to the ISSA-ESG survey, 79% of security workers say they’re happy to be in their profession. At the same time, though, many indicated a desire to be more in the loop: 58% said that having security staff included in all IT projects from their beginnings would be most impactful for improving working relationships between the two groups, while 41% said encouraging cybersecurity participation in all business planning and strategy would improve working relationships with enterprise management.

Let your team members know what’s in it for them

Creating a vision for the security department that’s tied into the enterprise strategy does help get the team pulling in the same direction, but Rowe says it’s equally critical for CISOs to show their workers what’s in it for them as individuals.

“Security professionals know how valuable they are and how much they’re in demand, and there’s pressure to take advantage of that. So alongside building goals and vision and culture, CISOs need to be able to outline to the individuals what their future looks like, what their future looks like at the company, and how they can take advantage of what the company has to offer—and how you can get them to the next level of their career wherever they go next,” Rowe says.

And CISOs must then enable their workers to develop the skills they need to grow in their career, through company-sponsored training, project assignments, and advancement opportunities, he adds.

Rowe adds: “It’s all about building career paths and being transparent and having a network of alumni so you can point to CISOs who have come out of your team. That means something.”

The (ISC)2 study reinforces this perspective when it asked cybersecurity professionals what motivated them to join the field. They cited the ability to solve problems (54%), high demand for skills (50%), it fits my skill set/interests (46%) and career advancement opportunities (45%) as the top reasons—with the ability to help people/society (44%) coming in at No. 5 followed by salary, with 42% of responses.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline