How to build a cybersecurity team to maximize business impact

Why cybersecurity team structure matters

When it comes to protecting an organization's systems, data and applications, it takes a village. To properly implement and maintain a cybersecurity program -- and continually improve it -- a company's cybersecurity team structure must match its security and business needs.

Cybersecurity teams are responsible for identifying, protecting, detecting, responding to and recovering from security incidents, cyberthreats, vulnerabilities and risks. They must also create policies; maintain tools, technologies and processes; and educate employees through security awareness training and communications.

To handle these tasks optimally, CISOs must evaluate their team structure -- including its roles and responsibilities, as well as who works in what group and to whom they report. How this should look in a given organization depends. What works for one company might not for another.

A successful team structure affects the following:

• Operational efficiency.
• Decision-making speed.
• Risk management capabilities.
• Incident response effectiveness.
• Compliance and governance.

It also extends to business impacts including culture, morale, customer and partner confidence, resource allocation and debt management.

How to establish a cybersecurity team's requirements

A CISO must, first and foremost, identify and prioritize the security program's top goals and objectives, and then consider how the team's structure can best support those ends.

To get started, use a Venn diagram to sort security initiatives, projects and responsibilities into the following categories:

1. Important enough to require ongoing oversight.
2. Complex enough to require ongoing and delegated responsibility.
3. Continuous or temporary -- for example, an ongoing function versus a time-defined, one-off project.

In some cases, these will be self-evident. In others, not so much. Identify the team's less obvious responsibilities by analyzing organizational goals and considering associated security requirements.

If CISOs don't know what their organizational goals are, they should use goal-setting exercises. Formal approaches -- such as the COBIT 5 Goals Cascade, ITIL Service Strategy and Service Design, or the balanced scorecard system -- can help leaders find, itemize and map their organization's most important objectives.

Critical outcomes CISOs should account for include the following:

• Regulatory context, or what functions are regulatory-driven and thereby nonoptional.
• Existing organizational policies.
• Customer agreements.
• Stakeholder needs.
• Control frameworks that the organization uses internally, such as ISO/IEC 27001 Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements and 27002 Information security, cybersecurity and privacy protection -- Information security controls; NIST Special Publication 800-53 Security and Privacy Controls for Information Systems and Organizations; etc.

List associated critical tasks, rank them accordingly and decide who should have oversight. These represent the core of the specific functional areas CISOs need to address in their team structure.

Other factors to consider include organizational maturity, program complexity, threat profile, team and personnel dynamics, individual employee circumstances and any unique organizational factors.

Components and roles of a successful cybersecurity team

After identifying the program's goals, determine the functional areas necessary to support those outcomes. The potential choices are nearly infinite. But some patterns occur commonly and can guide the development of the security team's reporting structure.

Note, these are not recommendations -- an organization's unique circumstances and needs should dictate its choices. Also, note that roles often appear in more than one team. As such, cross-functional collaboration among security professionals and teams -- as well as other business departments and units, such as IT, legal and risk management teams -- is crucial to managing risks and protecting enterprise environments.

Leadership

Leadership must know how to align security with business objectives, perform risk management, allocate resources and understand compliance requirements.

The key leadership role is the CISO, who oversees the security program and leads strategy. Leadership can also include security directors and managers who supervise operational teams, monitor progress, collect and analyze performance metrics, and validate stakeholder agreements on timelines and goals, among other tasks.

Operational teams

Key operational units include the SOC team, incident response team, threat intelligence and red team.

• SOC. The SOC team oversees threat monitoring, threat hunting, management of security operational tools such as SIEM and endpoint detection and response, as well as other day-to-day operations. Team roles include CISOs, SOC managers, security analysts and security engineers.
• Incident response. The incident response team manages investigations, incident containment and recovery from security events. It oversees, maintains and periodically tests the incident response plans and processes. Tasks might also include forensics, reporting and communications, and preparation of evidence -- for example, coordination with and preparation of materials for law enforcement. Team roles include incident responders, threat hunters, security analysts and forensics investigators.
• Threat intelligence. The threat intelligence team collects and analyzes information about cyberthreats to anticipate adversary tools, techniques and procedures. It coordinates with relevant stakeholders on detection rules, detection controls and incident response. Team roles include security analysts and threat hunters.
• Red team. The red team simulates adversarial activity to uncover and exploit weak areas. Team members include penetration testers, ethical hackers and security analysts.

Technical specializations

Technical teams in an organization can include the following:

• Network security. The network security team manages network infrastructure and architecture. Team members can include network security engineers, architects and analysts.
• Application and product security. This team works with application developers and DevSecOps teams to accomplish the following:
  • Integrate security into the software development lifecycle.
  • Conduct threat modeling of applications.
  • Establish secure coding practices.
  • Integrate security into continuous integration/continuous delivery pipelines.
  • Participate in security testing of products and applications.

Team members include application security engineers and managers, product security engineers and managers, developers and DevSecOps professionals.

• Cloud security. The cloud security team manages cloud security infrastructure and cloud security deployments and protects cloud workloads. Team members include cloud security architects, engineers and analysts.
• Identity and access management. The IAM team controls access to resources such as systems, applications, infrastructure and data. It designs, manages and, in some cases, oversees authorization, authentication and privileged access. Team members include IAM admins, security engineers and security managers.
• Security architecture. The security architecture team designs security systems and infrastructure. It also sets and implements foundational controls and secure design patterns, conducts formal or informal security architectural planning and works with other technical teams to understand and address technical risk areas. Team members include security architects and security engineers.

Governance, risk, policy and compliance

The governance, risk and compliance team oversees governance structures and policies, manages risk registers, and ensures conformance and alignment with regulatory requirements and standards. Team members include compliance officers, risk experts, security auditors and other specialists. This team works closely with legal and IT teams.

The security awareness and training team educates employees about security responsibilities, policies, acceptable use and other constraints. It designs, implements and tracks the performance of security trainings, phishing simulations and culture building among teams.

Both teams liaise with HR and data privacy teams, including HR managers, compliance officers and legal, to ensure data privacy requirements are met.

How to make the team structure work

With goals identified and team roles outlined, it's time to put the organizational structure in place.

Get leadership on board; align cybersecurity with business objectives

Leadership buy-in is essential. Securing it requires a solid, defensible justification for the plan.

Assuming the CISO followed the above advice, the organization's overall business goals should heavily inform functional areas. This helps create a compelling, business-first narrative explaining the security team structure.

Translate security needs into a business context. Resist the urge to go into detail about regulatory frameworks, specific controls and other particular items. Be transparent about trade-offs -- for example, where security leadership combined functions or where they adjusted responsibility or ownership, due to resource constraints or other practical limitations.

Consider staffing and training

Think through reporting and staffing specifics. Ask the following:

• Is staff available who either fit into the structure immediately or can be repurposed to do so?
• Is new staff required?
• Are there situations that require matrix reporting or atypical reporting structures?
• Should specialists such as application security professionals be centralized or embedded with specific business unit teams?
• Can the organization upskill from within -- for example, by offering training for industry-specific certifications?

Also consider on-staff needs versus outsourcing to managed services. Depending on resource and staff limitations, companies might need to outsource some tasks or positions.

The cybersecurity team of the future

Keep two things in mind: No team is static, and people make mistakes.

Today's perfect team structure might not be optimal or even serviceable a year from now. CISOs must revisit their plans over time for the following:

• Look for adherence to shifting organizational goals. Goals change over time. Ensure the team adapts accordingly.
• Review the plan in light of technological changes. New technologies and advancements in existing technologies will affect the team structure. Consider automation, AI and quantum computing. Both are changing not only how teams work, but also the threats they must address.
• Evaluate the organization's and team's performance. Measure the effectiveness of the team over time using key metrics and performance points. Update as necessary. Some changes will be obvious -- for example, to keep up with industry or compliance regulations.

There's no such thing as a future-proof team, but frequent reassessment and a willingness to adapt based on real-world performance are the next best thing.

Ed Moyle is a technical writer with more than 25 years of experience in information security. He is a partner at SecurityCurve, a consulting, research and education company.