With the rapid digitalization of business, the importance of cyber security has increased dramatically for companies of all sizes and in all sectors. Its complexity and specific requirements demand organizations to build security teams for internal use or get it as a service by Managed Security Services Providers (MSSP).
Content:
A good cyber security team is not just a group of people but a complex mix of technology, processes and a range of people with different expertise. The human factor is paramount in the return on investment of cyber security, because cyber security is about people, not technology. Even the best technology will not work efficiently if it is not set up properly by an expert who knows what they are doing.
You might think that a starting point for building a cyber security team would be to hire a technical system administrator to oversee security systems or a cyber security generalist who understands cyber security compliance and governance. However, the better approach is to define a cyber security strategy based on your corporate needs and objectives before you hire the team that can execute this strategy.
The planning can be done internally or with the support of external consultants but always keep in mind: The strategy should always come before the first hire takes place.
Do a self-assessment to determine your business goals related to technology, digital assets, known technology, and so forth.
Start with your immediate needs, but keep in mind what your organization might plan in the future to make sure that your cyber security strategy doesn't just fit the present but also the future.
Define a robust cyber security strategy with the required roles, responsibilities, expertise and service levels you expect from your cyber security team. This includes defining:
Ensuring all of the above enables you to set up a better organizational structure and technical infrastructure that can scale as your business grows. It also creates a more cost-efficient and functional team that can evolve over time.
With demand for cyber security experts at an all-time high, your first steps are crucial:
There are multiple ways to find people with the right skillsets, but external recruitment isn’t always the best option for all positions. It is better to first evaluate your existing staff. With additional training, you’ll probably be able to raise your own employees up which strengthens their loyalty and creates cyber security experts who already know your company inside and out.
Additionally, there are always options to hire external managed services to help you scale your operations or add extra resources for special projects. Be sure to evaluate what team strategy and combination works best for your company.
Read in our use case, how we supported a manufacturing company with managed services to ensure that their processes were up to data regarding all legal requirements.
Do you need generalists or specialists or both? It’s usually recommended to start pragmatically with a generalist and then build up special expertise. Building from the bottom up will help you find the right mix of generalists and specialists for the company. They will not only complement each other’s work, but also bring different perspectives and thus a broader scope of solutions to the team.
Another crucial factor for recruiting qualified professionals is the job description. A well-defined job description can help you identify the right set of competencies needed for the specific roles. Especially when these roles require cross-disciplinary knowledge, such as business or industry-specific.
Make sure to define "must haves" and "nice to haves" and workshop the description together with your cyber security team. Both the team lead and the colleagues should be able to take a look at the job description and give input. That way, you make sure that operative tasks, soft skills, and know-how doesn't go unnoticed.
Make sure to be transparent with your job description. It's of no use to write only about the "fun" sides of the job to get more applicants. You want applicants who find enjoyment in the entire work scope.
If you want a team that’s going to innovate, you don’t want people who all share the same background and mindset. Cyber security roles are very diverse and you ideally want to cover as much expertise and experience as possible. Best case scenario, you have team members who can take on multiple roles.
Don’t put too much weight on credentials because practice and experience often prove more relevant than what is on paper. Make sure to prioritize and test the applicant’s technical know-how, analytical skills and understanding of architecture first as you need problem-solvers who keep their composure in crisis.
Don't underestimate soft skills and team fit. Hard skills can be taught but it's much more difficult to teach someone how to communicate, show patience and respect and act as a backbone of your team and organization.
Motivation is very personal and subjective. What motivates one person can be irrelevant for another. How leaders inspire their teams isn’t a one-size-fits-all approach, so motivating cyber security professionals can be challenging in many ways.
Your personal judgement and getting to know the needs of individual team members will give you an indication of their priorities and what gives them purpose. Maybe they want to show creativity, or they want to develop their skills and career, or they enjoy variety in different challenging projects.
Seek their feedback actively and on a regular basis to stay in touch and keep them motivated.
Building trust with your team members is another continuous task, that is fundamental if you want to have a strong and collaborative team. Your people will always seek your support and if you respond to their problems adequately and communicate openly and transparently, their trust will also make sure that you can rely on them in turn.
Also, don’t forget that you are their "voice" regarding any topics that are discussed at higher management levels. Make sure to represent their needs and ideas.
Security is not a discipline for lone rangers with single missions. It is rather like the work of firefighters. Between fires, firefighters train for emergencies, spread the word on prevention and acquire additional knowledge. When the emergency comes, they must operate on little more than their instincts and make sure they work together seamlessly. There's no time to look things up or make sure it's being done right. When the situation is under control, they return to the firehouse and start the cycle again.
Security experts are a lot like firefighters, except for the nice uniforms and pole sliding. They go through intensive training that prepares them for an emergency.
This also means that having a critical mass of security experts ensures that the team can share knowledge, make up for gaps in skills, and allow for specialization. In a network security organization of one single person, this is impossible. One person cannot do it all on their own, especially not if they are on vacation, on sick leave or otherwise not capable to fulfil the tasks of an entire firefighting squad.
The strongest security teams are also comprised of people with different skill-sets that complement each other. Diversity in personalities, backgrounds and experience can open up new avenues in problem solving and create better, faster, and more innovative solutions even under pressure.
DIGITALL has a strong team of Cyber Security experts to provide managed services, implement solutions and optimize your security measures for a 360° security strategy. Take a look at our portfolio: