10 ways to build a cybersecurity team that sticks
Creating an effective cybersecurity team can be a challenge. The skills gap is showing some improvement — the (ISC)² 2020 Cybersecurity Workforce Study shows that the cybersecurity skills gap is down from 4.07 million to 3.12 million professionals. But even if you can find people to fill cybersecurity positions, these skilled professionals need to be encouraged and nurtured to make them stick around for the long term. A recent (ISC)² study, “Build resilient cybersecurity teams,” has excellent advice on doing this.
Building resilience through team motivation
Cybersecurity teams are like a family unit. The members of this unit need to work together on highly stressful projects that impact the entire organization. Like a well-oiled machine, a resilient cybersecurity team can be highly effective. The (ISC)² study spoke to cybersecurity professionals to get their insight into building and maintaining a strong cybersecurity team. One of the factors behind a resilient team is motivation. 52% of cybersecurity professionals said that the ability to solve problems was their reason for entering the field. Next in line for important motivational factors was a professional’s existing skillset and having a keen interest in cybersecurity. Other important factors included:
- Working in a continuously evolving field (42%)
- The ability to help society (37%)
- Achieving good compensation (36%)
Skill-up to keep staff on the path to success
Technical and non-technical skills are important in building resilient cybersecurity teams. There are many technical skills to know:
- Cloud security
- Malware analysis
- Data analysis
Amongst the top non-technical skills were:
- Analytical thinking
- Working in a team
Self-learning and certifications are the topmost essential items for those pursuing a cybersecurity career. The top three are:
- IT certifications
- Cybersecurity certifications
Shadow, support and mentor
Having a mentor or advisor was seen as an essential aspect of helping develop employees building a career in cybersecurity. Having the support of a more experienced cybersecurity professional was pulled out several times in the study as providing the basis for robust team culture. Several themes came out from conversations with cybersecurity professionals on retaining staff and encouraging a more diverse team. These include:
“Being thrown in at the deep end.” Being given too much responsibility was seen to have some detrimental effects on those in the earlier stages of their careers. Being given this responsibility too quickly can cause a feeling of being overwhelmed, frustrated and losing interest.
“First jobs.” Because cybersecurity presents a wide array of issues to resolve, any lack of clarity or consistency in a role can cause problems and a lack of confidence in junior staff members.
“Patience and support.” Cybersecurity roles can often be overwhelming and cause less experienced staff members anxiety. This can lead to the loss of a potentially excellent member of staff. Ensuring that a cybersecurity team is designed to help with issues and present a clear escalation pathway can improve overall confidence.
The cybersecurity professionals interviewed in the survey pointed out that certifications were important in the early stages of their careers. The respondents cited certifications as a “milestone in their career” and proof of their ability to do a job. One respondent summed up how certifications helped build their confidence:
“I studied hard learning my role, researched on my own time, earned certifications, attended training courses and conferences. All of that helped me to grow in my career.”
The top 10 measures needed to build an effective cybersecurity team
According to the (ISC)² 2020 Cybersecurity Workforce Study, there are 10 key measures to use when building an effective cybersecurity team:
- Look inward: the “better the devil you know” is a good starting point to build a cybersecurity team. Reach out to people already in the organization who may be interested in cybersecurity; create an environment whereby employees can build up the necessary skills to join your team.
- A balanced approach to IT talent: the study found that 55% of cybersecurity professionals began their career in IT. However, the study also highlights that diversity within a cybersecurity team is essential. Therefore, draw from IT talent, but do not only limit your team to those from a technical background.
- Hire for attitude and aptitude: go beyond a candidate’s CV. Look for passion and drivers that complement your existing team members.
- Create realistic job descriptions: (ISC)² suggests getting help from HR to create appropriate and realistic job descriptions when hiring your cybersecurity team. The study also points out the importance of matching security roles to the right level of certification.
- Invest in education: educating your cybersecurity team is an ongoing commitment. The study suggests that “Every organization needs a formal, standards-based cybersecurity education program for the employees responsible for securing their digital assets.”
- Take the long view: the study points out the importance of patience when building a resilient and long-lasting cybersecurity team. Investment into the team by building professional development pathways is the most crucial step.
- Foster mentorships: the study points out that cybersecurity professionals believe that having a mentor during the first three years of their career was invaluable. The study suggests using a mentorship program between senior members of the team and new entrants.
- Recognition builds confidence: feedback is essential, especially positive feedback, as this develops confidence. Build on this confidence by allowing junior members to step up to co-run projects.
- Keep the team together: building a coherent team involves allowing that team to help in its evolution. When recruiting, get the involvement of other team members to help identify missing skill sets.
- Embrace diversity: a diverse team, crossing sex, gender, race, disability and class boundaries, will help to offer insights and knowledge that would otherwise be missing from a less diverse cybersecurity team. Work with HR to identify diversity gaps and to attract a diverse audience of potential applicants for posts.
Building any cohesive and resilient team is not easy. But by following the (ISC)² guidelines, collated from professionals in the field, you can create a team that will be a credit to your organization.