Cyber Challenge 5: Team Creation - Build The Team You Need - Be The Change That You Seek
In today’s fast-paced digital world, security isn’t just a priority; it’s a necessity. But to protect your organisation effectively, you’ll need more than just the latest tools and technologies. You’ll need a strong, adaptable, and resilient team (#PeopleCentredCyber) with a broad remit which extends well into Privacy, Risk (#PeopleCentredRiskManagement) and secure adoption of the latest technologies such as AI. Building such a team from scratch can be daunting, but with the right approach, it’s entirely achievable. Let's explore how to assemble a security team that can not only meet the challenges of today but also adapt to the uncertainties of tomorrow. And, as with many things in leadership, it all starts with being the change you want to see in your organisation.
Start with a Clear Vision
At the outset it’s essential to start with a clear vision. What do you want your Security team to achieve? Your team’s goals should align with your organisation’s broader mission. Security does not work as a siloed function; it should be integrated into every part of the business and in return the business mission should infuse everything the team does. Whether your priority is protecting sensitive data, ensuring compliance, or defending against cyber threats, these goals should be well defined and communicated across the team along with the business mission.
A well-crafted business aligned vision not only guides your team’s efforts but also ensures that the importance of Security is recognised at the highest levels of the organisation. This alignment with business strategy is crucial for securing executive support and ensuring that the Security function is given the resources and attention it needs. It informs the reason why behind Security activities and helps senior leaders feel confident that security is there to enable NOT prevent business.
Understanding the Key Functions
Security is a broad field, encompassing a wide range of functions. Imagine a periodic table of Security functions; you might have as many as 13 distinct areas to consider, each representing a critical aspect of security such as:
- Security Governance and Oversight
- Secure Architecture and Engineering
- Secure Manufacturing
- Secure Platforms
- Secure Code
- Secure Customers
- Secure Identity
- Secure Data
- Security Function Oversight
- Secure Devices
- Security Communities of Practice
- Security Supporting Business Delivery
- Trustworthy AI Management
Understanding these functions is key to knowing the skills and expertise your team will need. You may focus on one or all of these areas. This foundational knowledge will guide your recruitment, training, and development strategies. A core truth is that some of these areas have skills that easily translate to the others and some are more insular.
Attracting the Right Talent
Regardless of whether or not it is an employers’ market or a candidates’ market top skilled security personnel will be highly valued and hard to attract. And, remember: Candidates join companies for part of their career journeys and will remain onboard for only as long as the organisation’s objectives continue to align with theirs (Those that know me will recognise one of my stock phrases here). So regardless of what type of job market we are in, the journey starts with communicating your organisation’s mission as part of attracting the right talent. But how do you stand out in a competitive job market?
First, you need to differentiate yourself as an employer. So, what makes your organisation unique? Perhaps it’s your commitment to professional growth, a strong organisational culture, or a focus on cutting-edge technologies. Whatever it is, make sure potential candidates know about it.
Cultural fit is just as important as technical skills. When hiring, look for candidates who not only have the necessary expertise but also align with your organisation’s values. A team member who fits well with your culture is more likely to be engaged and motivated, which is essential for long-term success.
Diversity is another crucial factor, bringing a wider range of perspectives benefits Security. Many of my teams over the years have contained neuro-non-typical individuals which have led to a better spread of viewpoints leading to a more comprehensive understanding of threats and more innovative solutions. Additionally, offering mentoring can help your team have the confidence to try new things with the top cover of a mentor.
Mentors can also help with personal branding efforts that can lead to nurtured individuals then recommending friends and people they think are great cultural fits. A culture of mentoring can make your organisation more attractive to top talent. Encourage your team members to develop their skills and share their expertise internally, and externally through social media / industry events to improve their recognition (retention) but mainly to improve the attractiveness of the organisation.
Engaging in sector outreach and supporting social causes, such as digital inclusion and helping those in cyber poverty, can also enhance your organisation’s reputation and attract passionate, driven individuals who want to make a difference.
Onboarding with Purpose
Onboarding is more than just a formality; it’s your opportunity to set the tone for a cohesive and versatile team. A well-structured rotational training programme, where new recruits spend time in each of the key Security functions, can be incredibly beneficial. This approach helps build inter-team rapport, identifies individual strengths and aptitudes, and ensures that each team member finds the best fit within the organisation. This approach is not unique, in fact this is a core approach used in His Majesty’s forces ( Phillip (PJ) Matthews first introduced me to this approach at Dyson)
Rotational training also has practical benefits. It ensures that your team has the flexibility to cover for one another during holidays or emergencies, and it fosters a collaborative environment where team members can ‘swarm’ problems, bringing their a combination of sheer number as well as diverse expertise to bear on complex issues (Swarming can make organisations able to recover quickly).
Developing and Retaining Your Team
Once you have assembled your team, [I am hearing the Avengers Assemble theme tune in my head as I write] the next step is to ensure their continuous development and retention. Security, like modern technology, is an ever-evolving field, and your team must be committed to justified and planned for ongoing learning. Justified and planned for ongoing learning should have its roots in your business mission and your technology roadmap as well as the long-term cyber threat intelligence for your sector.
Regular training sessions, cross-training, and support for certifications and further education are all vital. These initiatives not only enhance your team’s skills but also show your commitment to their professional growth. Richard Branson said “Train people well enough so they can leave, treat them well enough so they don't want to.†(https://x.com/richardbranson/status/449220072176107520?lang=en)
Fostering a strong team culture is equally important. Create an environment where collaboration is encouraged, and team members feel comfortable sharing knowledge, seeking help and most importantly, willing to admit to mistakes without repercussions. Psychological safety, recognition and rewards for contributions, whether through formal awards or simple acknowledgments, go a long way in maintaining morale and motivation.
Maintaining a healthy work-life balance, another aspect of psychological safety, ?is crucial, especially in a high-stress field like cybersecurity. Providing resources for mental health and wellness, and promoting flexible working arrangements, can help keep your team engaged and productive but nothing can better knowing your leader has your back. Such a leader is Dan TINSLEY who has led some of the hardest working cyber defence teams I have met in the world.
Leadership and Governance
Clear roles and responsibilities are the bedrock of effective governance. Each team member should understand their role within the broader mission of the Security team. You should define specific responsibilities, and establish accountability at the delivery layer. This clarity helps prevent overlaps and gaps in coverage.
Leadership in Security requires more than just technical expertise. Leaders should be able to articulate a clear vision and inspire their team to achieve it. Effective communication is key, both within the team and with the broader organisation. Leaders should also empower their team members, giving them the autonomy to make decisions and take ownership of their work to deliver their “accountable outcomesâ€. This empowerment fosters innovation and builds a more resilient team.
Other key components of leadership are honesty and candour. I have worked for ‘bosses’ whose honesty and motivation were all too easy to call into question and whose feedback lacked the candour needed to be authentic. I know my teams prefer to know that what I am saying is true and that the feedback I’m given is candid (even if it isn’t palatable). Where leaders are authentic, teams feel safer in my view.
Fostering Innovation and Proactivity
In the constantly shifting landscape of cybersecurity, a reactive approach is no longer sufficient. Teams and individuals should be proactive, anticipating and mitigating risks before they become significant issues, taking their lead from continuous monitoring, threat intelligence, and regular risk assessments.
Encouraging innovation within your team is also crucial. Create an environment where creativity is welcomed, and team members feel safe to experiment with new tools [another aspect of psychological safety], techniques, and strategies. Providing access to lab environments for testing and piloting new approaches on a small scale can lead to breakthroughs that improve your overall security posture.
Building Strong External Relationships
Security doesn’t happen in isolation. Building strong external relationships, both within your industry and with government agencies, vendors, and the broader community, is critical for success. Industry partnerships allow for the sharing of information and best practices, while government collaboration ensures compliance and access to critical threat intelligence. This activity directly feeds your teams and should ideally be led by them thereby increasing their external profile / internal kudos.
Supporting initiatives that address cyber poverty and digital inclusion not only helps protect the broader community but also enhances your organisation’s reputation. By contributing to the broader Security ecosystem, team members can make a meaningful impact while also building goodwill and attracting like-minded talent to your organisation.
Planning for the Future
Sustaining a successful Security team requires careful planning for the future. Succession planning is a key aspect of this. Expect and plan for staff turn over, identifying and supporting future leaders within your team will ensure continuity and stability as the team evolves. Mentoring programmes and knowledge management practices will preserve institutional knowledge and develop the next generation of Security professionals.
Building and maintaining a knowledge repository is also crucial. Centralised documentation of processes, procedures, and best practices provides a single source of truth for your team. Regular updates ensure that the repository remains relevant as the threat landscape changes.
Cultivating Your Organisation’s Security-First Culture
For your Security team to be truly effective, the entire organisation must embrace a security-first culture. Regular security awareness training, phishing simulations, and the identification of security champions within each department can help embed Security into the fabric of your organisation. There are likely to be people who enjoy presenting to crowds and working with teams to get Security messages across and this is a great outlet for those who are interested.
Extending the reach of non-Security people that are delivering security aspects in their own work can be achieved through Communities of Practice facilitated by members of your own teams which increases their profile (great for retention) in the business as well as forwarding the Security as a business partner agenda (good for everyone).
The Importance of Communication and Transparency
I am reminded of the recent passing of a figurative “Giant Among Menâ€, Bruce Brain. I reported into him as the CEO of SunGard Public Sector and I am happy to say “had my back†on a few occasions. He was the most open, honest, candid, and authentic man I have ever met. So much so that when I got feedback (even negative feedback) I always felt valued and so I will continue to this day to pay authentic candour forward to this day. One thing he did really well was keep in touch by walking the floor and would often visit a site unannounced and call everyone together to given an impromptu update or celebrate someone’s success. He would also communicate bad news in person and explain why a choice was made.
Supporting your team’s career development is another crucial factor in retention. Understanding that people join you on their career journey and remain with the organisation only for as long as its aspirations align with theirs is crucial. By understanding individual aspirations and experiences being sought can help you place people into upcoming work that might ultimately mean they leave you sooner. Counter-intuitively this can result in greater alignment, more commitment, and improved retention (at least until they land that “dream job†offer!)
Balancing Workloads and Managing Stress
A culture that values work-life balance leads to higher job satisfaction and retention. Cyber incident responses can span days, weeks, or even months. During high-priority issues, staff may even need to work through the night. By rotating new hires through all departments, you increase the number of people available to take over tasks, reducing the pressure on any single individual.
Some Security activities are well-suited to hybrid working, making it easier to manage out-of-hours workloads, even for extended periods.
When managing workloads, prioritise activities that support the business mission first. Don’t hesitate to seek help from outside the security team if needed. Sometimes, due to business mission pressures, it won’t be possible to provide a balanced mix of work tasks. In such cases, making open and explainable decisions is key.
Looking Ahead
The Security landscape is constantly evolving. You should foster a culture of continuous improvement. Your teams should be prepared to embrace change, agility and adaptability. Staying ahead of emerging trends and technologies ensures that your team is always prepared for the future. This is where your business can help. By having a clear technology road map and delivery road map you can then help prepare your teams to deliver the next wave of change in your organisation.
Ultimately, building a successful Security leader is all about honest candour, clear communication, and accountability. As a leader, key to building out a successful Security team is all about being the change you want to see. By creating a team that is diverse, inclusive, and committed to continuous learning and improvement, you set the standard for excellence in cybersecurity. Lead by example, encourage innovation, and build a legacy that will continue to protect your organisation long into the future.
Conclusion
By adhering to the principles we’ve discussed: starting with a clear vision, attracting and developing the right talent, fostering a strong team culture, and planning for the future, you can build a team that is not only technically proficient but also resilient, adaptive, and capable of leading your organisation through future challenges.
Be The Change You Seek!