notes on 5 secrets to building a great security team

Posted on by michael

Via the Infosecnews mailing list, I’ve read a CSOOnline article on “5 secrets to building a great security team”. Sounds fun, despite being geared around more of a C-level managerial perspective in a larger organization where “security” encompasses brand protection, organizational risk, and other things beyond just digital security.

1. Rethink everything. – Pretty much a safe, vague item, but a good one. There’s no right answers, and it really helps to sometimes sit back, figure out what is working and what isn’t working (not what’s broken, but just what isn’t awesome), and try something new.

2. Formalize underserved functions. – This item focuses entirely on diaster recovery / business continuity sorts of efforts. While not necessarily part of “security” in a traditional sense, it does deal with organizational risk, operational resiliency, and personal safety; things that “security” often has in its vision statements as well. I don’t mean to downplay these efforts, they’re just a different slice of the security pie than what typically gets my juices flowing.

3. Demand proven business skills. – Essentially, this talks about the value of an MBA and, more importantly, being able to understand and talk with the business, and its leaders, in their language. It’s hard to disagree with this as being a useful skill when you’re not 100% in the trenches every day.

4. Create a communications czar for security. – This sounds interesting, and I’m not sure I’ve heard of something like this before, but it certainly makes sense. I got the impression part of this role was to ease the changing (i.e. HR issues with sweeping changes) of how security works at Caterpillar, but the details really show someone who acts as internal PR for security, and probably as trainer and support. Security can definitely use some people people.

5. Nurture dissent. You know, I could leave this entire article and forget about it in minutes if but for this bullet point. Security (privacy, risk…) is a constantly debatable topic entirely because of its nature; always being at ends with evolving threats, but also it’s balancing act of security vs usability/convenience. Keeping this as an important, specific item allows a leader to always be able to illicit the most knowledge from his team members, rather than all of them just nodding and agreeing to whatever and letting the leader walk off their own cliff edge. It also really helps support the first item.