Brennan P. Baybeck lists building a successful team as one of his top responsibilities as a CISO.\u201cIf you surround yourself with great people, make sure they\u2019re successful and have what they need\u2014the training, the budget, the right headcount\u2014then great security comes along,\u201d he says. \u201cBut if you don\u2019t put that focus on your team, it\u2019s not going to happen.\u201dThat focus requires great development resources as well as career planning and direction so team members can best build their skills, says Baybeck, vice president and CISO of Customer Services at Oracle Corp. Successful teams also need great managers, adequate resources, and the right mix of responsibilitiesWithout all that, security suffers.\u201cAn unhappy security team will result in infighting, unhappiness, and aggression,\u201d according to the Forrester report Fix Toxic Security Culture Before It Kills Your Innovation. \u201cNot only will this cultivate an unpleasant environment, but it also has the potential to ruin your security team\u2019s reputation, undermine your team\u2019s integrity, and put your organization at risk.\u201dWhat, exactly, can CISOs do to counteract such as scenario? Here, Baybeck and others offer seven strategies to build a great security team:Accelerate career advancementThe annual performance review is a corporate standard, but CISOs who want to retain talent and maximize their staffers\u2019 expertise should schedule reviews more frequently, says Nick Rowe, who as COO for NCC Group North America is responsible for the firm\u2019s security consulting business.\u201cTraditional review cycles don\u2019t make sense in a fast-paced world like infosec, particularly for junior members of your teams,\u201d he says.Security workers are constantly adding new skills as they keep pace with professional and enterprise demands, with junior professionals often advancing at a particularly rapid clip as they mature into their positions.As a result, security workers hone their expertise\u2014and thus their marketability\u2014at a much faster pace than employees in other enterprise departments that don\u2019t have the same constant evolution of skills, technologies, and requirements that the security profession does.That\u2019s why, Rowe explains, CISOs should recognize their team members\u2019 speedy development with promotions, re-assignments, and raises.Create a supporting castStrong security teams need more than cybersecurity positions; they also need supporting roles such as business operations experts, recruiters, and project managers, Baybeck says.And he believes it\u2019s strategic to carve out those roles and hire professionals skilled in those areas rather than ask security professionals to divert their attention from their core work to handle those tasks.He himself has seen the value in this approach, having \u201cpulled out responsibilities from people who shouldn\u2019t have had them\u201d and hiring staff to take on project management and operations management instead. He says that move gave his team time back to focus on their main security work.\u201cSecurity risk management is a never-ending stream of things happening, so getting [your security team] the help they need, whether through existing corporate resources or by investing in new resources, helps them be the most productive they can,\u201d Baybeck says, adding that investing in automation and process improvement helps boost team efficiency and productivity, too.Create teams that better reflect the overall population\u201cA diverse cybersecurity team maximizes an organization\u2019s ability to bring innovation into its efforts and acts as a force multiplier for a company\u2019s capacity to combat digital threats,\u201d according to the 2020 The Business Value of a Diverse InfoSec Team report from the Institute of Critical Infrastructure Technology (ICIT), noting that leading CISOs see \u201cdiversity as both a competitive advantage and a solution to the growing talent shortage.\u201dBaybeck agrees.\u201cIf you\u2019re looking for the same type of people that we\u2019ve had for the past 25 years, you won\u2019t be successful in the current environment or in the future. You need different points of view, different experiences,\u201d says Baybeck, a board member with the IT governance association ISACA.Baybeck says he\u2019s working to create more diversity on his team by taking specific steps, such as requiring recruiters to cast a wide net for candidates, writing job descriptions designed to attract a wider pool of potential applicants, and partnering with a range of organizations to broaden his reach.Jinan Budge, principal analyst with Forrester and co-author of its team toxicity report, says other CISOs who are diversifying their teams are taking a similar approach.\u201cThey have targets for a diverse pipeline of candidates, and they have hiring panels that are also diverse,\u201d she says. That work creates more innovative and creative teams \u201cbecause you\u2019re better able to look at the multitude of issues in cybersecurity and dive into things we haven\u2019t dived into before and change how we think about some of our security problems.\u201dHire for, and cultivate, nontechnical skillsThe strongest security teams are comprised of team members with a diverse set of skills, says Deborah Golden, a principal at Deloitte & Touche LLP and the US Cyber & Strategic Risk leader for Deloitte Risk & Financial Advisory.\u201cHaving the same people with the same thinking trying to solve problems isn\u2019t going to get you want you want. You need to have many different types of disciplines to [best address] the complexity of cyberattacks and the complexity of business,\u201d she says.Golden has proof this works. She has team members with liberal arts backgrounds, including English majors, archeologists, and political scientists. It was one such employee\u2014one with political science experience\u2014who surfaced data protection issues related to international laws that others on the team hadn\u2019t addressed on one particular security initiative.Clar Rosso, CEO of (ISC)2, a security training and professional association, similarly advises CISOs to hire workers for their analytical, critical, and creative thinking capabilities as well as their problem-solving skills\u2014or cultivate those skills in their existing staff\u2014in addition to hiring and training workers for security and technical expertise.Cyber professionals themselves agree, listing analytical thinking, problem-solving, critical thinking, the ability to work both independently and in a team, and creativity as the most important soft skills to have, according to (ISC)2 \u00a02021 Cybersecurity Career Pursuers Study: A Roadmap to Building Resilient Cybersecurity Teams.\u201cResearch shows that diverse teams work better because you don\u2019t end up with group think. Diverse teams bring different ideas to the table to solve problems and, with threats in cybersecurity so dynamic, that\u2019s critical,\u201d Rosso says.Build strong, resilient team playersTraining is critical for cybersecurity professionals to keep up with the rapidly evolving demands of their job. There\u2019s no debate there. In fact, 91% of the 489 cybersecurity professionals surveyed for The Life and Times of Cybersecurity Professionals 2021, a report from the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG), agreed that keeping up with their skills is critical for protecting their organizations. However, 59% said job requirements often get in the way.Report authors issued a warning for CISOs on this point: \u201cThis training gap is quietly increasing cyber risks at your organization. To address this directly, CISOs must push the organization, ensuring that ample training time and resources are built into every member of the cybersecurity staff\u2019s schedule on a continual basis.\u201dIn addition to conventional training programs, Rosso advises CISOs to implement rotational programs where they have their workers cycle through different positions in six- to eight-week stretches. This gives workers opportunities to learn or hone different skills, which strengthens the team overall. At the same time, it can help prevent burnout by providing a diversity of tasks and varying the intensity of work.Rosso acknowledges that CISOs with smaller teams may have a hard time implementing such a program; for those teams, she suggests CISOs create \u201cfractional\u201d roles within security and filled by workers from other departments, such as legal or risk, who can lend and share their expertise on relevant security initiatives.Show your team the missionBig tech and startup companies have reputations for creating visions that inspire their workers and bring them together to drive toward common goals. CISOs should cultivate a similar culture by focusing their teams on the organization\u2019s mission and its overall objectives.\u201cYou need to build a culture and purpose; there needs to be a reason for the security organization,\u201d Rowe says. \u201cIt\u2019s important to speak to that. As security professionals, we do [security] because we like it, but we\u2019re also doing it because we want to make a difference.\u201dWorkers themselves seem to share that perspective: According to the ISSA-ESG survey, 79% of security workers say they\u2019re happy to be in their profession. At the same time, though, many indicated a desire to be more in the loop: 58% said that having security staff included in all IT projects from their beginnings would be most impactful for improving working relationships between the two groups, while 41% said encouraging cybersecurity participation in all business planning and strategy would improve working relationships with enterprise management.Let your team members know what\u2019s in it for themCreating a vision for the security department that\u2019s tied into the enterprise strategy does help get the team pulling in the same direction, but Rowe says it\u2019s equally critical for CISOs to show their workers what\u2019s in it for them as individuals.\u201cSecurity professionals know how valuable they are and how much they\u2019re in demand, and there\u2019s pressure to take advantage of that. So alongside building goals and vision and culture, CISOs need to be able to outline to the individuals what their future looks like, what their future looks like at the company, and how they can take advantage of what the company has to offer\u2014and how you can get them to the next level of their career wherever they go next,\u201d Rowe says.And CISOs must then enable their workers to develop the skills they need to grow in their career, through company-sponsored training, project assignments, and advancement opportunities, he adds.Rowe adds: \u201cIt\u2019s all about building career paths and being transparent and having a network of alumni so you can point to CISOs who have come out of your team. That means something.\u201dThe (ISC)2 study reinforces this perspective when it asked cybersecurity professionals what motivated them to join the field. They cited the ability to solve problems (54%), high demand for skills (50%), it fits my skill set\/interests (46%) and career advancement opportunities (45%) as the top reasons\u2014with the ability to help people\/society (44%) coming in at No. 5 followed by salary, with 42% of responses.