Attributes of a high-performing information security team

THE RISE AND RISE OF CYBERSECURITY

As civilisation becomes increasingly reliant on technology, the spotlight on information security is ever-growing, as is the increase in the number of debilitating cyber-attacks. ?As an example of the damage they can cause, the Ponemon Institute Cost of a Data Breach report puts the average cost of a data breach in 2020 at $3.86 million.According to Cybersecurity Ventures, cybercrime is set to cost the world $10.5 trillion by 2025, which, to put this in context, equals the world’s third largest economy. By the close of 2021, a Ransomware attack will be projected to have taken place every 11 seconds.

According to an EY report, cybersecurity and risk management remain top of the Board agenda, alongside climate change and COVID-19, as organisations strive to manage an increasingly dynamic threat landscape. The fallout of a major cyber-attack can have huge consequences for the organisation in question. This might include lost revenue, a drastic fall in share price, potentially catastrophic fines (due to new GDPR regulations), not to mention the PR nightmare a breach causes, particularly if sensitive customer information has been lost. The 2015 TalkTalk breach resulted in the company losing over 100,000 customers, demonstrating how such attacks might erode consumer trust. Cyber criminals are also becoming increasingly sophisticated and organised, with hacking now becoming commercialized, making it easier for threat actors to breach organisations. ??

WHAT HAS BEEN THE IMPACT OF COVID 19?

Exacerbated by Covid-19, companies have been forced to digitalise and move their activity to online channels. With this shift, organisations can inadvertently leave themselves exposed, and remote workers have become an attractive target for cyber criminals. Carbon Black reported that cyber-attacks in the USA shot up by an estimated 66% in the early stages of the pandemic. In terms of the angle of attack, research by PhishMe shows that 91% of cyber-attacks are launched through spear-phishing emails, demonstrating the importance of cyber security awareness throughout an organization, most pertinently in a post-covid world.

CYBER SECURITY AND CYBER TALENT AS A NEW AGENDA FOR BOARDS

As cybersecurity moves up the ranks of the Board agenda, the focus has shifted to how organisations can ensure they can improve understanding and mitigation capability against cyber-attacks. Having a solid internal cybersecurity infrastructure is no longer just about the technology and tools; it is about the talent that drives the cybersecurity transformation. Executives and upper levels of management must now consider if they have the right cyber leaders to drive the information security strategy and assemble the right team to effectively secure the enterprise. It follows then that the security posture and maturity of the business should correlate to the effectiveness and performance of the information security team in place, including the leadership members. In this article, we explore some of the key attributes of a high-performing information security function. We investigate social psychological enablers, psychological safety, and diversity and inclusion in its broadest sense. We conclude with a specific focus on how to build high-performing cybersecurity teams using insight from leaders operating within the cyber security and data privacy industry. ?

ATTRIBUTES OF A HIGH-PERFORMING TEAM

Is there a direct correlation between high-performing teams and bottom-line performance? According to research by the Harvard Business Review, 75% of teams are dysfunctional and 60% fail to deliver. High-performing teams demonstrate higher productivity and can be 14% more profitable than their lower-performing counterparts.8 Therefore, winning teams can generate higher profits and, consequently, businesses are increasingly structuring tasks around teams. It therefore comes as no surprise that the Oxford Review found 8,100 peer-reviewed articles on this topic, building on research stemming from the 1920’s.

Insights from organisational psychology, sports psychology and military leadership have all contributed to our understanding of the essential attributes and make-up of a high-performing team. EY discusses the ingredients of high-performing teams in its recently published ‘What gives teams the edge’ report.11 Their holistic analysis discusses the important role that Team Edge, Team Resilience and Team Momentum play in creating successful teams. Though we acknowledge the importance of these factors, our analysis focuses specifically on structural considerations, the make-up of the team, psychological safety, diversity (including diversity of thought and neurodiversity). We begin with insights gleaned from social psychology.

Social psychological factors

Every team is uniquely composed to serve a specific purpose, though empirical research from social psychology and team science identifies common factors which underpin team success in general.?For instance, specific vs non-specific team goals improve team performance. Further, group-centric goals as opposed to individual-centric goals have a greater impact on team success.Moreover, teams that define their own goals as opposed to a command-and-control approach display greater productivity. In a meta-analysis, teams that are relatively cohesive are more successful than those which are not.

Sooner or later, teams will come to disagreements. Research shows that conflict can be healthy, as long as it is functional as opposed to dysfunctional.15 Task composition,16 team composition,17 team size (the widely accepted optimal number is 5), task complexity,16 goal clarity,19 leadership and organisational context are all part of a myriad of structural and social psychological factors that will impact how effective the team is. In summary, social psychological and structural enablers of team performance include the following;

·????????Specific team goals

·????????Group-centric goals

·????????Goals defined by the team

·????????Cohesive teams

·????????Healthy conflict

·????????Task composition

·????????Task complexity

·????????Team composition

·????????Team size

·????????Goal clarity

Psychological Safety

The concept of psychological safety describes the consequences of taking interpersonal risks in certain contexts, like the workplace. Although first explored in the 1960’s, the concept only rose to prominence after the pioneering work of Amy Edmondson, Professor of Leadership and Management at Harvard University. Amy Edmondson is the lead researcher in this area and the first person to officially coin the term ‘Psychological Safety’. Amy describes psychological safety as “a sense of confidence that the team will not embarrass, reject or punish someone for speaking up with ideas, questions, concerns or mistakes…. It describes a team climate characterized by interpersonal trust and mutual respect in which people are comfortable being themselves”.

In 2012, Google’s People Operations wanted to understand why some teams seemed to thrive and others didn’t. They researched 180 high- and not-so-high achieving teams from all over the company, attempting to find patterns of any significance. They found no correlation between personality types, emotional intelligence, demographics, backgrounds, skills nor any other factor that seemed to have an influence on the performance of the team. Utilising an internal team of psychologists, they then hit upon a well-established research area in social psychology; that of ‘group norms’. Norms within teams are the (often unwritten) rules that govern how a team operates. In some teams, there may be a culture of encouraging vigorous debate whereas in others, there may be a value on consensus.

The researchers at Google agreed that formal or informal norms were important and drew on a study which found that teams tended to be more effective when everyone had a chance to contribute (Google suggested additional complementary factors of; dependability, structure and clarity, meaning of work and impact of work). The research here corroborates the concept of psychological safety; managers who create psychologically safe work environments create a culture of openness, transparency, risk-taking and honesty, setting the psychological conditions for teams to succeed.

Speaking of psychological safety in relation to cyber teams, Stephen Khan, former Global Head of Tech and Cyber Security Risk at HSBC and Chair of ClubCISO, states; “Our people aim to do their best work within their capabilities.?As leaders, we must partner with them to support, guide, and train, so they may deliver the best outcomes for organisations. Psychological safety is a fundamental cornerstone for building high performing teams.” In summary, we can be confident that creating an open environment in which each individual can convey their opinions without fear of reprisal is a key factor in building a successful team.?

Diversity & Inclusion

According to the World Economic Forum (2019), the business case for embracing diversity is irrefutable. There now exists substantial evidence that teams and organisations who have a strong diversity culture perform better financially, are more creative, have employees with increased job satisfaction and organisational commitment, increased trust and engagement in their job, have lower employee turnover, have stronger governance and have better problem-solving abilities, compared to those that are relatively homogenous.

McKinsey’s continued research has found that companies with a high proportion of diversity are more likely to outperform their competitors. In a meta-analysis of 108 studies and over 10,000 teams, there was found a direct correlation between diversity and creativity. Though encouraging, these results are subdued somewhat by the finding that these highly diverse teams also struggled to actually implement these ideas, due to their inherent social conflict. This suggests that we should have highly diverse teams for idea-creation, and more homogenous teams for idea-implementation.

Other studies demonstrate that companies using aggressive messaging around diversity issues may alienate majority segments of the population, which could impact talent attraction for those companies. Empirical research has consistently supported the notion that having a team made up of people from very different backgrounds leads to high levels of performance for the overall team. Our conceptions of diversity are not limited to prescribed characteristics. As we know, teams and problem-solving benefit from an array of people’s thinking styles and broader experiences, therefore we advocate that diversity of thought and neurodiversity also be considered beneficial.

Diversity of Thought

University of Michigan Professor, Scott Page, published a book entitled; ‘The Diversity Bonus: How Great Teams Play Off in the Knowledge Economy’. In a publication 10 years previously, Page discussed the importance of diversity from a cognitive point of view, choosing the term ‘cognitive repertoires’ to describe the benefits harnessed when people with different thought patterns come together to solve problems and create solutions. Page talks of cognitive diversity as being different from identity diversity (linked to a person’s gender, racial, religious identities). There may be an interplay, however, with identity diversity shaping cognitive diversity. In other words, our experiences based on our racial, ethnic and socio-economic backgrounds, may influence our life experiences and inform our choices, leading us to certain ways of thinking. ?

Nonetheless, Page draws on evidence across disciplines including maths, economics, psychology and computer science to demonstrate that companies which leverage cognitive diversity specifically are better at solving problems, and breed creativity and innovation. As leadership expert Sara Canaday advocates, ‘Companies produce the best results and are better able to innovate when their team members don’t all think, process information or see the world in the same way’. The consensus then, is that diversity of thought is essential for organisational and team success.

For cybersecurity teams, this is a real area of opportunity. A 2020 joint report by the NCSC in partnership with KPMG found that female representation in the UK cyber industry is at 31%, whilst ethnic representation is proportional to that of the wider UK population. Arguably, encouraging staff from varying backgrounds to enter the cyber security industry would bring about the benefits of cognitive diversity with corresponding positive effects on team performance.

Neurodiversity

There is a growing cohort of companies who, rather than viewing neurodiverse candidates as a hindrance, value neurodiversity and treat it as a competitive advantage. The traditional focus has been on those people with autism, however the term neurodiversity extends to ADHD, dyslexia, dyspraxia, and other conditions, which is estimated to exist in more than 10% of the UK population.45 Large enterprises such as SAP, EY, Google, Deloitte, Dell Technologies and Hewlett-Packard Enterprise (HPE) recognize that many neurodiverse people are naturally suited to careers that make use of mathematics, pattern recognition and memory.

In Australia, HPE has provided more than 30 neurodiverse software testers to Australia’s Department of Human Services, claiming that these teams are up to 30% more productive than others. The Australian Department of Defence is now creating a similar programme for cybersecurity using the same assessment methods as those used by the Israeli Defence Forces (IDS), stating that the ability of neurodiverse people to spot anomalies and patterns in event logs is “off-the-charts”. Indeed, the IDF’s Intelligence Division, Unit 9900, is composed primarily of neurodiverse employees, who are “gifted with an incredible ability to analyse, interpret, and understand satellite images and maps”. Along with their increased demand from employers within the information security industry, neurodiverse talent is making great strides in joining the tech industry at large.

SUMMARY

In the course of this article, we have looked at a question asked often by organisations; how can we build high-performing teams? With supportive academic and consulting research, we have reviewed some of the specific structural and social psychological factors. These suggest that successful, high-performing teams benefit from diversity, cognitive diversity, and in the case of certain cyber job roles, neurodiversity. Further, psychological safety creates an environment of openness, encouraging individuals to openly contribute their ideas in a non-hostile environment. This in turn provides a conducive atmosphere for innovation and problem-solving, and therefore, an engaged and successful team. ?Finally, the way that teams work and come together also impacts on their efficiency. For instance, having specific team goals and separately, a healthy amount of conflict is deemed to be necessary for team success.

To view these points through the cybersecurity lens, Sentients interviewed two established security leaders to further explore some of the factors laid out in the previous sections. Our thanks to Graham Thomson, Chief Information Security Officer at Irwin Mitchell, and Colette Hanley, VP, IT Risk at Checkout.com, who gave an account of how they built and manage their respective teams.

INTERVIEWS WITH SECURITY LEADERS

Graham Thomson is Chief Information Security Officer and Head of Data Analytics at Irwin Mitchell, a law firm. Graham has also previously undertaken CISO appointments in global online retail and financial services. Graham is a founding partner of the North West Cyber Resilience Centre and a member of the EC-Council Advisory Board.

Colette Hanley is VP, IT Risk at Checkout.com. Colette was previously Chief Privacy Officer and DPO at Nokia, and Global Head of Information Security Compliance & Privacy for Skype at Microsoft. Colette is an active evangelist in Privacy, Security & Risk and was headline speaker at Cynam 2.1 in March 2021.

What would you define as a high-performance cyber security team?

Colette Hanley: High-performance teams, as well as having strong ambition for themselves and for their work as individuals, are equally committed to the team mission. They share a common understanding that each team member is integral to team success. First-class teams respect diversity of experience and expertise and are ready to build on it through collaboration. ?Such teams are aware that it's this cross-pollination of strengths that ultimately allows them to better protect and enable the business.

One benefit of operating within such a collaborative environment is that team members feel comfortable experimenting and exploring new ideas. Another is that when, inevitably, something doesn't go to plan rather than pointing fingers at each other discussions can occur openly and naturally about what could be adapted or improved. Where each team member is individually invested in mutual success, any failures in this trusted context actually serve to increase team cohesion rather than threaten it. Shared ownership for team success and failure, in a virtuous cycle, further encourages greater individual creativity and resilience, which I’m convinced are both hallmarks of a high performing cyber security team.

Graham Thomson: For me, a high performing security team is a proactive, efficient, cost effective and happy team that provides a leading service to the business. It is a team that knows its purpose, works together as a close-knit group of people towards the goals with autonomy and takes the initiative to be masters of their craft.

In order to be effective, all the team members must be highly focused on their defined goals or objectives and work together to achieve measurable results. Team members must be adequately trained, skilled and empowered in their role. A high performing team has a clear sense of what they are doing and why.

When starting a new cyber leadership role, what are your first steps to building trust within the team?

Graham Thomson: Getting to know the team and them getting to know you, warts and all, is key. There is nothing wrong with showing your personal vulnerabilities, revealing your own mistakes, of which you have learned from, as this makes you more human and more trustable as a servant leader. You must use language and behaviour that builds trust and inspires others – completely avoid a command-and-control approach, involve them in decisions wherever possible, focus on the needs of other team members before your own, acknowledge their perspectives and give them the support needed, and build a sense of community.

It’s not what you do, but who you do it with, and building a sense of belonging is really important too. To achieve this, you must nurture a team that either has a sense of shared identity and direction to make a “we’re in this together” feeling, or a close team of friends with a feeling of one family together. For me, this was exactly the kind of camaraderie that was nurtured in the Army and made high performing teams.

In a new leadership role, you must set clear and comprehensive objectives for the team overall and ensure each member of the team have their own aligned objectives and personal development plans. These must be directly in line with the business goals and Information Security strategy. Everyone must know why they are there, what they need to do, for what higher purpose.

Clear roles and responsibilities of the team members should be set or updated too. Team members should know that they are empowered to work in the way that works best for them and encouraged to work together and collaborate to achieve the overall objectives.

You also need to ensure the team are effectively resourced and skilled. Team members should be empowered to take relevant training as required in order to grow and progress as per their personal development plans. Talent planning and investing in people should be done too, with diversity and inclusion front of mind. GCHQ have expressed that one of their secrets to success is neurodiversity and knowing that great minds do not think alike.

All of this needs to be done in an environment of psychological safety – this doesn’t happen by accident; you need to build and maintain it. Be explicit about it, let everyone know that they won’t be punished or humiliated for speaking up with ideas, questions, concerns or mistakes. Without psychological safety, no one wants to speak up to address issues, to highlight problems or challenge the status quo, mistakes are covered up – it’s a toxic culture, doomed to fail.

Colette Hanley: ?Outside of work, we take it for granted that establishing genuine trust-based relationships requires thought and sustained effort at the interpersonal level. This is no less true in the workplace, particularly with a new team or with a new leader. Trust will only flourish in a climate that encourages communication, collaboration and favours an open exchange of ideas. The most effective step I can take with a new team is to lead by example. By welcoming suggestions that diverge from my own, respecting differences in opinion and remaining flexible and interested in new proposals, for example. Building a trusted operating environment means developing a team identity that allows individuals to express themselves authentically without that jeopardising the team’s cohesion. A foundation of trust allows recognition of the value colleagues can add thanks to, and not despite, their different perspective, background or expertise.

What processes do you recommend in order to maintain a high-performing team?

Colette Hanley: Two approaches have worked well for me. The first is celebrating achievements and the second is investing in learning. Most of us generally accept that we can learn valuable lessons from our failures. What I hear repeated less often is that we should also expect to learn from success. This means explicitly taking time to reflect on how and why we were successful. Members of high performing teams are often so delivery-focussed that following an achievement they simply move to the next task and don't look back. Cyber security teams in particular typically put a lot of effort into examining what hasn’t worked and why, what needs fixing and how. Nonetheless, it’s just as important for the team to recognise what worked and why it did. Instituting a feedback loop that examines achievements not only helps us improve, it renews team commitment and motivation.

Individuals on high-performing teams are already passionate about what they do and motivated to increase their knowledge and skills. Nonetheless, if I can open up additional career development opportunities through training, certification, cross-functional work, leading big projects or representing the company at conferences etc. it’s a win-win situation for us both. In an industry like ours where the threat landscape shifts so quickly, with emerging regulation and increased scrutiny from all sides, it makes complete sense to equip the team for the challenge. Finding good people and retaining them is a perpetual challenge. By developing a reputation as a leader who invests in their people, it both promotes retention and attracts new talent to the team with fresh skills and ideas to bring to the mix.?

Graham Thomson: To maintain a high performing team, ensure you have a documented strategy with goals and plans that are collaborated on and shared with the team. Set up regular team meetings and 1-2-1s. Have personal objectives and personal development plans that are tracked and linked to performance reviews. Create measurable KPIs for your outcomes and goals, that are shared and communicated with stakeholders – celebrate and showcase successes. Social events and team building events are important too, but you need to keep in mind that not everyone is a social animal.

How would you embed the right cyber workflows in your team?

Graham Thomson: Documented playbooks, operational documents and procedures are important to ensure resilience and consistency. Team exercises are key too, to ensure team members know what to do, and ensure they can access the right resources when needed in emergencies. Having a measurable and auditable control framework is also critical to ensure you know the status of key cyber workflows.

How do you develop the leadership skills within your team?

Graham Thomson: ?Spotting and nurturing leadership talent is super important. To do this it helps to have a defined leadership framework in your organisation, so you know what leadership really means to your business and what the good and poor behaviours are in order to focus on personal development. Developing good emotional intelligence with new leaders and empower them to get know themselves much better, for example via Carl Jungian-style language and behaviour-based personality profile assessments. Sun Tzu said, “Know the enemy and know yourself; in a hundred battles you will never be in peril”.

Colette Hanley: I'm tremendously committed to professional development. However, not all members of your team will aspire to a leadership role and that shouldn’t be seen as problematic. It’s not the only way to progress a career. That said, most people can benefit from being able to draw on certain leadership competencies. This could include influencing without authority, motivating diverse stakeholders, resolving conflicting priorities across teams etc. Encouraging all individuals to develop and flex these leadership capabilities will allow them to increase personal impact in their role whatever their career goals.

KEY FINDINGS & RECOMMENDATIONS

Graham and Colette echo the themes explored in the first part of our analyses which discusses the social psychological and structural characteristics of successful teams. ?Taken together, Graham and Colette discuss the importance of clear and defined goals, communication and collaboration, the value in bringing different perspectives and expertise into the team, and the importance of creating a shared identity.

They also discuss the subsequent approaches to building successful teams, explicitly touching on the need to create psychological safety in order to allow individuals to be themselves and fully voice all of their opinions. They further highlight the importance of encouraging diversity, and moreover that ‘great minds do not think alike’; explicitly stating an example of a well-known organisation which is hiring neurodiverse talent to great effect.

N.B. For access to the full PDF version of the article containing references, please contact me or InfoSec People