Building Balanced Security Teams - Updated
As an industry we spend a lot of time talking about workforce development and skills shortages. However, we tend not to talk about how to organize the people we have for maximum effect. In addition to the need for automation we also need to consider team balance and the interplay of different skill sets. Looking at many organizations, I have found that such balance is at least as important as the talent of individuals.
Since I first wrote this (in 2020) I have seen the need for this balance play out at multiple levels, in many industries and indeed the need for this is ever more vital as security teams pick up more and wider risk responsibilities. I also find that in adopting this lens you inevitably see the need for this in other fields. When you witness high performing teams you see a pattern of organizational balance that is what you might call the "rule of thirds" (not the photography one) for organizing security teams.
There are three characteristic role types and, for balance, you need the overall team to have a roughly equal proportion of each.
People whose main role is a technical, risk or other domain speciality. They are considered experts in their field and their primary role is to use this expertise to identify and resolve issues in specific products as well as design and build overall architecture.
2. Risk Advisor
People who bridge the technical and non-technical worlds including skills in translating technical risk in ways business leaders can understand. They are also adept at managing the interplay of various risks, liaising with customers, regulators, auditors, other stakeholders, and keeping the Board and executive management informed. They also drive the program and project management of large or otherwise complex remediation efforts.
People who excel at running functions like a machine. They are experts on process, metrics, operational automation, incident learning / root cause analysis, and integrating functions into other business and technology processes to create ambient control.
I’ve seen plenty of organizations that aren’t performing at their best. Such situations can often be surprising given the talent of many of the individuals in those organizations. Usually the cause is one of a series of violations of the rule of thirds. For example:
An organization is dominated by technical specialists. They are great at finding a lot of specific issues but often fail to communicate them in ways that attract the right business line prioritization. They fail to address the true root cause of the meta-problem that keeps causing these specific issues. They may fail to track and resolve issues over time because, as specialists, they are off finding new issues. The end result is you build up a hefty pile of issues in the security ledger but few things are ever fundamentally fixed. In some environments a specialist heavy team can be immensely effective if they produce solutions / frameworks to address common issues but that success is predicated on an environment that can adopt that - which often has to be boot-strapped and sustained by a combination of risk advisors and operational roles in the first place.
An organization is dominated by risk advisors. There's a lot of great documentation and risk process charts. Various levels of the business and other management feel good about how the program is being run and on the surface many basic risks are being mitigated. But, many deep technical or other foundational issues remain to be discovered and resolved. Little is done at a technical level to bolster platforms across the organization to mitigate risk. The end result is a regular set of surprises in audits, regulatory exams or incidents when detailed inspection or other pressure reveals those issues.
A team is dominated by a combination of specialists and risk advisors. In other words, it has insufficient operational capability. This team can appear quite effective. It is finding and resolving issues by balancing technical work with the ability to explain the technical issues to business leaders. The team can articulate the need for funding, sponsorship and program management to resolve problems. However, it is all quite artisanal and highly dependent on the current team members to sustain the work. It is often characterized by frequent changes in approach and priorities. The end result is a constantly growing team / budget that is out of proportion with effectiveness - requiring constant investment just to stay standing still. This team never quite breaks out of the tactical to get to the strategic.
A overall balanced team is one where specialists, risk advisors and operational experts work together to deliver a finely tuned machine for risk identification / resolution, driving technical solutions and overall architecture design. They slip-stream work into business services and product design / operation. They run an industrial-scale operational core to make sure the work is constantly becoming more efficient and effective over time.
At some level we should expect every individual to have a combination of these three skill-sets, but not in perfect balance. A specialist should be solidly a specialist but also appreciate the need to partner with risk advisors and operational people to make themselves more effective. Similarly, risk advisors and operational people should be sufficiently technical (and technically curious) to understand issues and the overall landscape of risks even if they’re not a full domain expert.
At a specific sub-team level it’s not always important to be fully balanced as long as the overall organization overall is.
Bottom line: the best security teams show a great balance between technical and risk specialism, the ability to communicate and drive action supported by a solid operational core. It is a rare person that is strong at all three of these aspects and so as a leader you have to create this balance in your organization and, more importantly, create the team culture for these different role types to play well together to deliver to your goals.