Teamwork: a few thoughts on leading from the middle

I'd like to start this post by thanking my teams.

The folks doing CloudSec, AppSec, SecOps. You know who you are.

The folks alongside me on team CISO, our engineering leadership, product leadership, and clinical leadership.

The folks doing privacy engineering, vendor management, and compliance.

The folks working the service desk helping our teammates and the systems engineers wrangling our legacy tech stacks.

You all make work worthwhile and the relationships with you help keep gas in my tank.

A few thoughts stand out in my experience of teamwork

1. Team Habits are Multipliers
2. Vulnerability Unlocks Sustainability
3. Networking Empowers Collaboration

Team Habits are Multipliers

On the security teams at apree we've adopted some key team habits that we're still nurturing which have really helped us stay organized and connected to one another. They've also helped us stay focused on the trifecta of paying down tech debt/reducing toil, accomplishing priority roadmap projects, and being available to be present teammates for those who need to work with us and collaborate.

Some of our habits that are useful:

• Documentation - standards on what to document, where to store, how to format.
• Runbook all the things and tie runbooks into daily checklist templates which are used to help on-call folks remember and do all the things that are part of keeping the security lights on.
• Sprint / Kanban and all the associated rituals. Also learning here there if your sprints are right sized it makes the rituals a lot more meaningful (IE backlog grooming when a sprint is over capacity isn't nearly as helpful as when you actually have a little slack to take up some more work).
• Team health monitors. We go through a process each quarter as a full team to check in on how we're doing as a team following this Atlassian process which has been very worthwhile in identifying where we need to adapt to improve the health of the team.
• Team offsites. Really help us better understand each other and who we are as people. We typically tie these into training opportunities and try to include team member significant others for meals / activities.
• Triaging processes and dedicated slack channels for different types of needs. Having one or two security slack channels works fine for people asking for general security help or to raise org awareness. For us having specific slack channels for different team collaborations and a designated channels to watch incoming tickets to triage, merge requests to review, etc has really helped our SLO's with various teams.
• One on one agendas. I really like to follow Trip Longworth 's One on One agenda which seeds conversation with those I'm meeting with on things like: what's most important to discuss, touching base on followups, identifying recent wins, naming worries, giving org updates, and having some weird manager questions tied in.

Vulnerability Unlocks Sustainability

I'm not quite sure how to say it so I'll just throw it out there. Be vulnerable and encourage your team members in being vulnerable by being receptive to their vulnerability. As security people we often don't feel like we understand or know things enough, feel incredibly whelmed at all the attack surface that needs addressing, and have a barrage of priorities. Being honest when we're in burnout mode with each other, not sure on a remediation plan, or where we're feeling org stress building up are all useful conversations. It's only by raising the issues and getting them out in direct sunlight that we're able to iterate and improve. It's sometimes frustrating because getting out of burnout mode and changing org culture take time and consistency. Something the health monitor process helps with is seeing what things keep coming up for us in the times we're being vulnerable so that we can be more intentional in addressing. We've seen real progress in our quarter over quarter health checks in some key areas (and also still have some that we're trying to bend the curve on). Worth saying all change on a team is a team sport and everyone has agency in making the changes desired happen.

Networking Enables Collaboration

One of my go to publications for refilling the well of inspiration is this HBR article on how leaders create and use networks . It breaks apart three different types of networking which are very useful for all security teams to understand and use:

1. Operational Networking - used for getting work done efficiently. Built through mostly internal relationships. Get to know who does what, what are their processes/preferences, care about them as a person. Know what they care about and what their goals are.
2. Personal Networking - used to develop talent, grow careers. Also helpful in sourcing operational and strategic networking opportunities.
3. Strategic Networking - used to understand big picture trends, understand how others are addressing the same challenges, getting insight into game changers. Conferences come to play here, security communities, etc.

Security is a team sport and what I've found is that these different types of networking really help collaboration occur both within and outside of where I work. The folks I collaborate with often become key resources for my personal growth and the growth of those I care about on my team or in the broader community.