Cybersecurity is a team sport

Cybersecurity is a team sport and also a contact sport. Some people don't get it. When building a true national-level capability that aims and must make an impact (both locally and in the region) you shall not forget that the cornerstone of this effort is getting right the classical triad: people - processes - technologies. And the first one is definitely the most difficult to get right…

With this in mind, I would like to share with you a 15-points checklist that served me very well while advising the EU, nation states, large organizations and transnational bodies in building their capable professional cyber teams.

1. You must assemble a fine combination of proven (yes, proven) hardcore technical, management and communication skills. In the true cyber world, there is little or no space for amateurs, wannabes, digital illiterates, or paper pushers.
2. Massively hire and invest in juniors, and give them the credit, and support they deserve. Nowadays, cybersecurity is the domain of the young and bright and not of the old and slow.
3. Stop thinking cybersecurity means only and just your own office, laptop, desk, team. It is a borderless and international domain and always more than meets the eye…
4. Ask your team members to honestly answer the question “What machines or tools you do turn on in the morning, when you start your daily routine?” If they answer “the coffee machine” then you may want to re-assess whether you have the right people in the team. Remember, true professionals should answer: “LINUX, MISP, Mattermost, Virustotal, GitHub, Slack, KNIME and Cuckoo Sandbox, and so on., and so on...”
5. Get rid of incompetents and fire them on the spot if you can. If you cannot (usually this is the case in state bureaucracies) then simply isolate and ignore them. It makes no sense for you to try curing chronic cases of lack of any knowledge, skills, or enhanced laziness perfected in years of doing nothing.
6. Lead from the front and speak out your professional vision and opinions on cyber and do not mind the inherent resistance to new coming from pseudo-experts. You will note that incompetents have nothing meaningful to say.
7. Constantly remind to yourself and to your team that you want to build a true cyber organization and not e.g. a spa, charity, travel agency, copy center or fast-food outlet.
8. Set for your team members the target of achieving 1/year professional certifications in cybersecurity.
9. When you hire, publish the job descriptions, and write them as specific and as detailed as possible. This has a tremendously positive impact on attracting real talent and will scare the hell out of free riders.
10. Stick to accepted professional standards and frameworks and get your team to use and follow them (NIST CSF, ISO, ENISA, CSA, COBIT, OWASP, SCF, HITRUST, ISAE 3402, etc.).
11. Be modest, openly communicate intent, have no hidden agendas, and do not tolerate bullies in your organization. Bullying is against the professional cyber culture.
12. Keep the internal meetings brief and to the point. They must always have an agenda, be operational and lead to acts and decision. There is no place for chit-chat, gossiping or intellectual masturbation meetings in a true cyber organization.
13. In victory, lead from the back. In crisis, lead from the front. Be a true player-coach and stay hands-on with your cyber team and their work.
14. Show people their work matters and earn their trust by giving it.
15. Do not give up…

Now, I want to further illustrate the concept of capable professional cyber teams by showing two pictures taken in Bucharest, on April 12th during the National Cybersecurity Cluster international meeting ?Partnership Development for Southeastern Europe Cyber Resilience? held by the National Cybersecurity Coordination Center (NCSCC) of Ukraine, together with CRDF Global with the support of the 美国国务院 and Directoratul Na?ional de Securitate Cibernetic? .

The first picture shows DNSC team members that started working together only a couple of months ago. However, you can already see one of the most committed and professional crews I had the chance to work with in my past 25 years of career. I am proud of every single one of them.

The next picture shows an equally competent and battle-hardened team of Ukrainian cyber experts that met us in Bucharest same day. The knowledge and skills they gained and mastered are now a tool for collective defense in cyberspace, at global level.

I believe that successfully developing and bringing together national-level cyber teams it is a necessary step for joint capacity building, for resilience, for deepening the European integration (with Ukraine included). It is the next level I am aiming for the Directorate, and it is what I will keep fighting for.

Banzai!!!

#Romania #Ukraine #Bucharest #cybersecurity #cyber #infosec #infosecurity #resilience #team #security #partnership #crisismanagement #DNSC #NCSCC