Tips on building a high-performance Security Team
Posted on May 2019 by John Fehan
Every day companies are asking their Security Teams to know more, detect more, and prevent more. Enterprises are recognizing the real threats that are posed by malware and cyber attacks. Security Teams know companies who have been hit by cyber attack. Teams also know the costs incurred and the intensity of breach. If you are on a Security Team, you know that every day the stakes are high to keep a network secure.
Clear thinking and positive mental health are essential attributes for a high-performing Security Team. Team members need the ability to “switch off,” and a good Security Team Leader builds this into their team.*
How can you prevent your team from going over the edge worrying about the security of your network — and your business?
Many businesses, even small and medium sized, are building out a Security Team. Business leaders may wonder, “How do I build a Security Team?” Leaders may conclude, “in order to have a good Security Team, first I need a good Security Team leader.”
Today’s enterprise needs a security leader with technical and business acumen.
To the right, see the top traits to hire for a successful security leader. (click to enlarge) Such a leader must understand business risk, inspire people, foster collaboration, and manage professionals to their strengths.
How to get started to build a Security Team
First identify what the business needs. Think of Security as a necessary business function, such as Human Resources (HR).
Top three Traits of a Successful Security Leader
- Business professional who understands business objectives, takes ownership of their workflows, and serves the business community so that all may operate within the risk tolerance.
- A team leader who can attract, develop and retain professionals who are secure in what they know while eager to continue learning.
- A security professional who is honest in what they know and what they don’t.
The goal of HR is to ensure fair, legal, and effective management of labor. This goal requires HR to run several business processes: recruiting, HR management, labor law compliance, etc. To run such processes, HR maintains certain data and uses special tools to manage that data.
Likewise, a Security Team performs a necessary business function. The goal of the Security Team is to manage business risk within manageable levels.
Business risk has always existed in supply chain, distribution, and other traditional business areas. However, as IT systems have expanded in all business processes, the effect of a disruption to IT systems has likewise grown. IT Security must now be added to the list of major areas of business risk.
To meet the business objective of managing risk within IT, cyber security must run certain workflows, such as the following:
- Threat awareness
- Information risk assessment
- Information risk reporting
- Security policy definition and creation of related technical standards
- Security control assessments
- Cybersecurity training
Top traits needed in a Security Team
An enterprise needs a Security Team of diverse and complementary professionals to run security workflows and maintain related data.
To the right, see the top traits to hire for a successful Security Team. (click to enlarge)
Such a team must share a common passion, but possess a diverse set of skills and experiences. Such a team needs a leader who can understand business risk, inspire people, foster collaboration, and manage professionals to their strengths.
Today’s enterprise executive needs a security leader who understands business objectives, takes ownership of their workflows, and serves the business community so that all may operate within the risk tolerance.
Top traits needed in a Security Team
- Professionals who can run a workflow, document outcomes, and communicate clearly.
- Professionals who can assess risks as a threat to business loss, not something to fear.
- Professionals who serve the business by educating, explaining, and reminding instead of belittling or ranting.
- Technologists who can integrate systems, configure rule sets and behaviors, respect change control, and are honest about what they don’t know.
Look for candidates who demonstrate through their professional stories their limits, people who have sought assistance, and who have a specific methodology for collaboration and group learning. Beware of candidates who tell stories in which they are always right, always the hero. Such candidates are not likely to build a Security Team based on trust and collaboration, but instead are likely to build a team based on bluffing, exaggeration, and deception.
How to elicit work examples
Use the “smart questions” to the right to elicit stories that may indicate how a security professional will perform in your organization (click to enlarge). Ask candidates for details; do not accept summary responses.
As stories unfold from candidates, you will feel an appeal or an aversion. Trust these feelings. Passion, experience, and certifications matter in that descending order of importance.
Security is a Team Sport
Security can only be run as a team.
Triage: Allow the whole team to triage issues and major work. This practice allows senior staff to help design the effort and share short cuts before the junior staff does the work.
Education: The senior staff should be responsible (in part) for the professional development of the junior staff.
What doesn’t work: Feedback alone does not do the job and can de-motivate junior staff. No one likes being told that their output is useless after their effort. Triage problems as a team and design the effort before allowing junior staff to waste time in the wrong direction.
Take the long view: When building a high-performing Security Team, take the long view. Use the above “smart questions” to identify the candidates with the skills and passion to manage business risk of IT
Smart questions (and answers) for a hiring Security Manager to ask:
- How does a Security Team best keep abreast of security threats? (Shows Continuous learning.)
- How does that knowledge of security threats permeate throughout the Security Team? (Shows Collaboration.)
- How can you best maintain senior management’s support of the enterprise security strategy? (Shows Alignment with business risk tolerance; alignment with value of business processes and applications.)
- How do make best use of your vendors’ security assessments? (Shows ability to Normalize prioritization and risk analysis.)
- What do you find most interesting in the field of cyber security? (Shows Passion and likely area or excellence.)
- Tell me of a time where you met stubborn resistance to what your were trying to implement (Shows Determination and maturity.)
- The business cannot fund all of the security controls available. How have they made such decisions in your current company? How could they have done this better? (Shows Analysis and decision making.)
- Tell me of a time where you worked closely with another person to complete a project/answer a question. Why did you need them? (Shows collaboration.)
Don’t have the team you need today? Add our team to your team: contact us. Our consultants provide the expertise and tools to help companies identify risk, detect threats and avoid costly cyber threats to business. Our team can ramp up and ramp down as needed to help your Security Team face cyber threats today and into the future.
* More on mental health of Security Teams
For information about the importance of mental health for Security Teams, see Tom Langford’s blogpost of his presentation at the European Information Security Summit 2019: Unacceptable personal pressure: How senior Cyber Security Executives safeguard their own mental health, and those of their teams. Tom recounts his path over the edge of mental health — and his return to better days.