Building Balanced Security Teams: The Rule of Thirds
As an industry we spend a lot of time talking about workforce development and skills shortages. We tend not to talk about how to organize the people we have for maximum effect. In addition to the need for automation we also need to consider team balance - the interplay of different skill sets. Looking at many organizations, I have found that such balance is at least as important as the talent of individuals.
I'd argue there is a necessary "rule of thirds" (not the photography one) for organizing security teams. There are three characteristic role types and, for balance, you need the overall team to have a roughly equal proportion of each.
Specialist: people whose main role is a technical, risk or other domain speciality. They are considered experts in their field and their primary role is to use this expertise to identify and resolve issues in specific products as well as design and build overall architecture.
Risk Advisor: people who bridge the technical and non-technical worlds including skills in translating technical risk in ways business leaders can understand. They are also adept at managing the interplay of various risks, liaising with customers, regulators, auditors, other stakeholders, and keeping the Board and executive management informed. They also drive the program and project management of large or otherwise complex remediation efforts.
Operational: people who excel at running functions like a machine. They are experts on process, metrics, operational automation, incident learning / root cause analysis, and integrating functions into other business and technology processes to create ambient control.
I’ve seen plenty of organizations that aren’t performing at their best. Such situations can often be surprising given the talent of many of the individuals in those organizations. Usually the cause is of one of a series of violations of the rule of thirds. For example:
An organization is dominated by technical specialists. They are great at finding a lot of specific issues but often fail to communicate them in ways that attract the right business line prioritization. They fail to address the true root cause of the meta-problem that keeps causing these specific issues. They may fail to track and resolve issues over time because, as specialists, they are off finding new issues. The end result is you build up a hefty pile of issues in the security ledger but nothing ever is fundamentally fixed.
An organization is dominated by risk advisors. There’s lot of great documentation and risk process charts. Various levels of the business and other management feel good about how the program is being run and on the surface many basic risks are being mitigated. But, many deep technical or other foundational issues remain to be discovered and resolved. Little is done at a technical level to bolster platforms across the organization to mitigate risk. The end result is a regular set of surprises in audits, regulatory exams or incidents when detailed inspection or pressure reveal those issues.
A team is dominated by a combination of specialists and risk advisors - in other words, has insufficient operational capability. This team can appear quite effective. It is finding and resolving issues by balancing technical work with the ability to explain the technical issues to business leaders. The team can articulate the need for funding, sponsorship and program management to resolve problems. However, it is all quite artisanal and highly dependent on the current team members to sustain the work. It is often characterized by frequent changes in approach and priorities. The end result is a constantly growing team / budget that is out of proportion with effectiveness - requiring constant investment just to stay standing still. This team never quite breaks out of the tactical to get to the strategic.
A balanced team overall is one where specialists, risk advisors and operational experts work together to deliver a finely tuned machine for risk identification / resolution, driving technical solutions and overall architecture design. They slip-stream work into business services and product design / operation. They run an industrial-scale operational core to make sure the work is constantly becoming more efficient and effective over time.
At some level we should expect every individual to have a combination of these three skill-sets, but not in perfect balance. A specialist should be solidly a specialist but also appreciate the need to partner with risk advisors and operational people to make themselves more effective. Similarly, risk advisors and operational people should be sufficiently technical (and technically curious) to understand issues and the overall landscape of risks.
At a specific sub-team level it’s not always important to be fully balanced as long as the overall organization overall is.
Bottom line: the best security teams show a great balance between technical and risk specialism, the ability to communicate and drive action supported by a solid operational core. It is a rare person that is strong at all three of these aspects and so as a leader you have to create this balance in your organization and, more importantly, create the team culture for these different role types to play well together to deliver to your goals.