Due to the threat of breaches, data leaks, ransomware, Denial of Service, and many other modern cyber threats, companies today invest more than ever in cybersecurity. Instead of just throwing money at the security team and hoping for good results, It is worthwhile to consider investing in building a security team and managing for benefits beyond the annual operating expenses of a company. Security will only have an impact if planned smartly. It can be a challenge because security makes 'invisible' money in the form of funds that you don't lose. Who knows how much you would lose in a ransomware attack - but with a good security stance, you'll never know for sure. That can make it hard to gauge how much you see in returned investment, and it can make it hard to measure what a security team offers to your enterprise's security posture.
So start with gaining visibility into the security posture and use this step-by-step guide for an effective security team and quantify how it affects the overall enterprise security posture.
Before you even begin to hire - what roles should you be hiring for? Here is a list of typical security team roles and what they do:
Security Engineer - Someone specialized in the security aspect of an otherwise conventional engineering profession. E.g., a software engineer, DevOps professional, etc., who specializes in security
Pentester - An ethical hacker who uses the tactics of cybercriminals to find vulnerabilities in your networks before the bad guys do
SOC Analyst - Security professional who reviews logs and network activity staying vigilant for anything possibly malicious
Forensics - A specialist in reverse engineering who can figure out how attackers got in, recover data, and find things that are meant to be hidden
Of course, there are many other specializations, especially at an enterprise level, but these are nearly universal roles you'd expect to see in an enterprise security setting. If you are missing any of these, consider meeting with a manager from the security team to figure out why. The odds are, they'll already be aware that this is an issue and be happy you care about it.
Hiring security pros works just like hiring any other engineering hire but with two significant caveats: word of mouth is way more critical, and Hacker News has monthly hiring threads that are full of hidden gems waiting to join your team. So if you're having trouble finding the right professionals, consider asking your current security team if they know anyone suitable who's open to joining your team. And if that doesn't work, consider posting in the monthly hiring thread on Hacker News.
Interviewing security pros is easy - hands-on. Show them an accurate (but not sensitive) log or code, and ask them to explain what it means or find vulnerabilities (depending on the specific role). Of course, you should have your security team with you for such interviews. They'll be able to assist you in evaluating the quality of the candidate's responses. But the key to remember is that the interview should be based on practical, realistic tests, not just theory.
The first step is a trial by fire. Let the security team do a full penetration test of the company. This is a good idea for finding issues to work on and thereby enhance your security posture; this is the absolute best way to introduce the team to every part of the company. You don't want dark spots in your threat model, and a pentest is the perfect way to bring the dark spots you currently have to light. And considering the love security professionals have for so-called 'red team' operations, this suggestion will probably be well received by your team.
After the pentest, you'll want to organize regular meetings between your security team (not just the manager!) and critical team leaders throughout the company so the security team can ask questions and probe into possible weak points. This will also help the team figure out what they will and will not need access to. You'll want to adhere to the principle of least privilege. That means that you don't give them direct access to anything unless you have to.
What even is effectiveness in a security team, and how can you as a leader measure that? Because of the nature of security teams, the best standard we have for their performance complies with industry best practices. Are they running regular internal pentests, a public bug bounty program, code reviews, a Security Operations Center, and other fundamentals of good enterprise security? If not, talk to them. Sometimes, a specific company has good reasons to change the generic formula to meet the business's unique needs. But you should find out if that's the case. Assumptions are the enemy of good security.
Once you've determined that you can measure your team's effectiveness and begin to do so, you'll inevitably run into budgetary concerns. How much to pay for security? It would help if you were generous with two elements: salary and tools for engineers. That's it. By not being stingy with salaries, you can attract top talent, which has multiplicative effects on the productivity of everyone on the team. As the famous security engineer Guy Alfs said - five-strong engineers can get more done in a day than fifty weak engineers will do in a week. And those great engineers will need state-of-the-art tools to get their jobs done efficiently and be happy. So spend more on this upfront, and you'll spend a lot less on everything else.
But what about big expensive third-party security tools that promise to give me 10x coverage, 365? Be skeptical and cheap. Not all of these tools are a waste of money, but most of them are. Talk with your engineers to find out what products are saving money and stick with those. Cut the rest from the picture entirely. That applies to your team too. No one wants to be the bad guy, but if some other employees are underperforming according to these standards, make the hard decision early and let them go. Instead of investing a little in mediocre talent, invest in the overperforming engineers you still have. Be grateful to them, and they will be loyal to you.
Management is not easy. Most people want the certainty and comfort that comes from following a great leader. On the other hand, being a leader means being the bad guy when budget cuts inevitably come knocking at the door. But those hard decisions are what separates leaders from everyone else, and as a manager, people look to you for strong, confident leadership. None of the above steps are easy, but if you have the courage and resolve to stand up and implement these principles in your enterprise security department, your team will be happier, and the company will be orders of magnitude safer as a result.