By Ross Moore
We know plenty of people who have talked about how beautiful their new house is, with all the amenities and rooms and flooring, but how many have heard, “I love the house because it has such a solid foundation”? Foundations are covered up by everything else, would be unsightly if in view, and, yet, are the very substance that allows for a safe building. In this article, we’ll review the foundations of developing a first-class cybersecurity team.
We’ll review the word “team” first because that’s what we’re building. It’s all about People. We’ve all seen the triad of People, Processes, and Technology. Team skills and abilities can be supplemented by Processes and Technology, but those can’t supplant People.
Get to know the team by just getting together and talking. There must be some kind of proper ratio between talking, working on projects, and developing the product, but getting to know each other – even just on a working relationship level – is a cornerstone of team development. Share information freely, even if it doesn’t necessarily relate directly to work – make it more than just about threat intel or talking shop.
Because building a team is all about focusing on people, a mentor is needed. If the team has a seasoned professional, that person could fit the bill. On the other end of the spectrum, if the whole company, including leadership, is new (a common occurrence), then an external trusted advisor is an appropriate role to seek out.
Also, working together to solve issues makes work more fulfilling. When each team member accomplishes or is encouraged to accomplish, appropriate goals, and as each person is included throughout various projects, the team grows together.
What is “cybersecurity”? Today’s “cybersecurity” is what used to be called “information assurance.” There are some somewhat recent and growing aspects of cybersecurity, such as Cloud Security and working in a Security Operations Center. But there are numerous domains that have always been a part of Information Assurance, Information Security, and IT Operations, such as data classification, access control, capacity planning, patch management, and vulnerability management.
In his 2015 book, “Cybersecurity Leadership,” Dr. Mansur Hasib (who references the conflation of the terms cybersecurity and information assurance) defines cybersecurity as, “…the mission-focused and risk optimized management of information which maximizes confidentiality, integrity, and availability using a balanced mix of people, policy and technology while perennially improving over time.”
Dr. Hasib then gives more background: “The meaning of the words cybersecurity and information assurance are coalescing into one comprehensive modern meaning.” At this time, the terms have all but completed their association. Understanding what Information Security, Information Assurance, and Cybersecurity roles a company needs is necessary for training employees, and defining those roles is incumbent on corporate security leaders.
For team roles that aren’t typically considered “cybersecurity,” such as risk management and compliance, there’s technical potential due to the technology that can be leveraged. A couple of examples are programming (e.g., Python script to push to Jira) and mobile apps reverse engineering (e.g., ensuring key secrets aren’t leaked).
First-Class Cybersecurity Players
Unicorns. Rock Stars. These and other glamorous terms are used to describe the type of employees many companies are either looking for or what’s lauded in their corporate posts. It’s fine to praise these people and to look for them, but that makes the search much harder and can show unnoticed employees that their contributions are not worthy of public mention.
It doesn’t take a rock star to review permissions or configure a firewall, nor is a unicorn necessary to fill out RFPs, fill in and assign tickets, and update a server. Many positions only need someone willing and able to perform the work. Remember the foundation. Many employees, while not rock stars are the reason the department and the company remain stable.
Upskilling current IT and Security staff may provide a much quicker route to skills training than considering hiring new talent. Hiring new talent without assessing and potentially training current talent is also a recipe for current talent to feel pushed to leave.
Coherence and Cohesion
Coherence (intradepartmental) and Cohesion (interdepartmental) are factors in creating training pathways. An ad hoc approach to training can easily increase feel-good skills that cannot be used regularly or even are detrimental to company progress. If a company is entirely a Microsoft shop, there may be little to no business value in learning Linux (and vice versa); though this doesn’t discount a certification path. Training must make sense within the department (coherence) and fit with the rest of the business (cohesion).
Look for the right soft skills and train the technical ones. Soft skills include problem-solving, analytical and critical thinking, the ability to work independently and in a team, and creativity.
One training option for increasing cohesion is creating a corporate university. It’s a daunting task but getting multiple departments on board increases the chances of success because the idea gets more buy-in and promotion.
Being able to promote what training will be provided training will help with recruiting, interviewing, and hiring. Delivering on the promise of training will help with employee retention, making everyone happier, and creating a solid, functional team.
Resource pain points
Budget is a chief influence in selection. All training takes resources, which cover more than the financial budget and include time, effort, and increased tech specs. A department may not have much corporate financial support, so finding inexpensive or free avenues takes some deliberation.
Here are some training options that are easy on the finances and give technical training and experience:
- Hack The Box
- Portswigger’s Web Academy
- OWASP – Juice Shop
Today’s cybersecurity team must have the training, and the training needs to have business relevance, provide career advancement, and instill hope.
There’s no universal and comprehensive training program. The head of security (whatever the actual title) needs to determine the various skills needed for the whole team and the individuals. The requirements for a security consulting company are different from a pen-testing company are different from a professional working with developers is different from a practitioner in the healthcare industry, etc.
Build Development Pathways in Cybersecurity
Whether called pathways, roadmap, or career development, a relevant training path should be presented to each team member. Upon hire, have a basic training path ready to roll out, have a 30-60-90 day plan, and follow up on them. There’s almost nothing so demoralizing as being given some goals, attaining them, and then receiving no feedback from one’s manager.
Factors and Final words
2 factors stand out as one develops training plans: each solution should be based on 1) business needs and 2) handling risk. What risks are faced by the business? It’s oddly humbling to think that a nation-state would want to target us, but perhaps a more likely risk that materializes is that an employee has excess permissions and can steal ePHI. Or perhaps a former employee still has Production access and could delete resources. Focusing on business-relevant risks and goals will help develop a much better development pathway.
Critical and analytical thinking is a skill also required of leaders. Knowing the mission and vision of the business, and knowing the risks of the business, will produce a better alignment of the roles and skills necessary to protect and advance.
If you liked this blog, check out our other pieces here.