How To Fix an Underperforming Cybersecurity Team

Cybersecurity teams are critical for helping organizations protect their network and get ahead of cyberattacks. They’re a smart way to organize cyber defenses and a strategic, efficient way of pooling resources — lots of employees dedicated to winning the cyber war will always have a greater effect than one or two. But cybersecurity teams can underperform as well, and if that’s the case, the team might be harming your business more than helping it.

A cyber team can fail without suffering a major cyberattack

Conventional wisdom might say that your cyber team fails when your organization suffers a breach. And sure, if that happens, the team failed in its objective to adequately guard against an attack. Even the best-built teams can fail, but the team probably didn’t have a sudden collapse at that moment. There were likely many factors in the months before the attack that indicated your team was breaking down. The team could have been starved for resources, suffered from infighting, or misaligned in the organization — any problems that usually plague teams of any kind. The team was set up for failure if those issues were left unaddressed.

Underperforming teams are some of the most challenging problems to address because they are hidden from sight and hard to surface.

It may be more challenging than you think, but we are here to help!

You must go beyond the team itself to fix an underperforming cybersecurity team effectively. It needs to be an organization-wide solution done on three levels:

1. Team level - the cybersecurity team itself

2. Organizational level - the cybersecurity team's placement in the organization‘s structure

3. Executive level - the cybersecurity team leader’s position on the executive team

Let’s dive into the specifics!

1. Foster communication [at the team level]: Create a culture of communication centered on clarity and transparency

This suggestion might sound simple, but it isn’t. To make matters worse, poor communication is rather prevalent in cyber! Cybersecurity involves many complex topics, several integration points, and high-stakes situations, all of which increase the possibility of miscommunication and can result in uncertain strategies, poor decision-making, and general frustration. Let’s look at a simple but telling example.

Imagine two cyber teammates talking about attack surface management (ASM). This critical component of cybersecurity involves protecting the entry points (or “endpoints” in cyberspeak) that lead to your network. But to one team member, ASM could mean only Internet-facing endpoints, like web servers and email exchange servers (stuff on the edge of your network) that are company-owned assets. To another, ASM might mean every entry point that could conceivably be associated with the company, from supplier networks to the personal devices of contractors. Which definition is correct?

To complicate matters, consider that these two people might not even know their different definitions. It’s possible that the first time ASM came up in conversation, neither stopped to say, “Oh, by the way, are we talking about ASM in the same way?” It might have seemed unnatural or elementary to ask that question about a relatively “common-knowledge” term, especially if it might make one feel vulnerable by showing that they don’t know everything. 

In that case, both people would continue using ASM without knowing what it means to the other, eventually hurting them and, in turn, the company. Imagine the CEO asking why business is halted after a ransomware attack or customers asking why their data was exposed. The answer, “Well, our cybersecurity team never got on the same page of what is covered by ’attack surface management’… so yeah,” isn’t helping anyone.

You need to strive to make communication a priority. What does that look like? Well, you and your team must communicate frequently and transparently in small and large group environments. Build multiple channels for communication to flow openly. If done well, the team will feel empowered to discuss their differences and level set with clear and consistent communication. If this doesn’t happen, miscommunication will start to take over.

3 ways to avoid miscommunication

Here are a few simple yet vital things a cybersecurity team can do to avoid miscommunication:

1. Level-set regarding critical conversations - Don’t assume everyone is on the same page. For example, define what terms and acronyms mean at the start of a call or presentation, even if you think everyone knows what it means. As another example, explain critical past decisions that led to the current conversation. In summary, do your best to ensure everyone is on the same music sheet.

2. Don’t leave communication loops open - Don’t start a communication thread and not revisit it with a decision or a call to action. This might be an open Slack thread or email chain whereby you say, “Let me circle back to the group once I research this matter further.” You need to follow up with an update. Fight the urge to think, “I am sure they’ll figure it out eventually.” LOL.

3. Use written communication to finalize essential calls to action - At the end of an important decision, craft a written call to action that lays out the decision, who is to take what action, the timeframe decided upon, and any follow-up actions that will be needed. Writing it out can help reduce misunderstandings by allowing you to proofread your message and ensure it is clear and concise. Plus, upon receipt, everyone else can ensure they align with what you share and clarify misunderstandings.

Bottom line: Cybersecurity teams must prioritize communication, or they risk creating a bubble of uncertainty that can only lead to bad things. To do this, they must communicate frequently and transparently to facilitate an open dialogue — feeling empowered to discuss their differences and level set with clear and consistent communication.

2. Eliminate confusion [at the organizational level]: Define clear operational lanes for personnel

A cybersecurity team (there are many types of teams, like a security operations center, threat intelligence, penetration testing, etc.) needs to fit smoothly and strategically into the structure of a company. This way, it can figure out how to collaborate with other teams and avoid overlapping goals. Failing to do this can lead to redundancies and inefficiencies, creating conflict with other teams and, ultimately, within the cybersecurity team. 

At first glance, this can sound obvious and intuitive. Of course, you develop a cybersecurity team to focus solely on protecting your company from bad cyber actors; however, a cyber team is rarely built into a business from the start with a clear mandate and well-defined roles. What usually happens is that different technical teams, usually Information Technology (IT) personnel, address cybersecurity concerns as they arise. This works out okay until a phishing email infiltrates your system and you get hit with ransomware. Then, everyone takes a deeper look at security, realizes the need for a more thorough organization-wide solution, and starts building a security team(s).

When building a cybersecurity team or program, you must ensure it has clear operational lanes in your organization otherwise confusion will arise.

5 steps to eliminate confusion when it comes to cybersecurity teams

You must eliminate confusion, whether you’re a small business just starting a cybersecurity team or a larger organization with several cybersecurity teams. Here are some ways to do it:

1. Build a management structure with a logical reporting hierarchy - All relevant teams should fall under the same executive leader. The executive leader should govern all logical functional teams that complement each other. For example, if you have a CISO, all cybersecurity teams should report to them (directly or indirectly). You don't want to have any misaligned cybersecurity teams report to a CTO's org.; this will create conflict and foster confusion.

2. Align goals and objectives for all relevant teams - Teams should clearly understand the organization's overall goals and objectives and how they can work together to achieve them. This will help to ensure all teams are working towards the same common goal and that their efforts are not in conflict. Relevant leaders from each team (starting at the top) should go through goal planning together to create clear goals that ensure minimal unintentional overlap.

3. Establish clear roles and responsibilities - Teams should clearly understand their roles and responsibilities and the roles and responsibilities of other related teams. This will help to avoid duplication of effort and conflict. For example, if you have a data breach, your incident response team should know precisely what to do and how to engage with your vulnerability management team. You don’t want each team operating independently, doing redundant (or, at worst, counterproductive) work.

4. Foster communication and collaboration - Teams should communicate and collaborate regularly. This will help ensure that all teams know each other's work and can identify and resolve any potential conflicts early on. Aside from everything I have shared in my first point above, to help do this, teams should plan joint training exercises and team-building activities. Nothing fosters communication and collaboration more than a few beers and wings at happy hour after an org-wide Call-off-Duty tourney!

5. Create a joint security committee - This committee should comprise representatives from IT, cybersecurity, and other relevant teams (like finance, product, or sales). The relevant teams can be any team you feel is vested in the company's security. The committee should meet regularly to discuss security issues, share information, and decide on security initiatives.

Bottom line: Cybersecurity teams should closely align with all internal/external teams to ensure a collaborative relationship. All teams must understand each other’s roles and responsibilities to eliminate confusion and counterproductive work.

3. Build trust [at the executive level]: Ensure your cybersecurity leader reports to the CEO

Nothing zaps a team’s performance more than a lack of trust. Trust is essential for any team to succeed. You can build trust by being honest and transparent with your team members, keeping your promises, and being supportive and respectful.

As I originally stated, there are many ways to build trust. Let’s look at one: the power of being supportive and respectful. One way to demonstrate support and respect is to have your cybersecurity leader, like a CISO, report to the CEO.

3 ways having your CISO report to the CEO builds trust

Having your CISO report to the CEO is an excellent way to demonstrate the organization's commitment and regard to cybersecurity, which in turn builds trust. Here are some reasons why:

1. It demonstrates the CEO's commitment to cybersecurity - When the CISO reports to the CEO, it sends a clear message that cybersecurity is a top priority for the organization. This can help to build trust with employees, customers, and other stakeholders. Looking back at our example about budget constraints, if a budget cut is needed and cybersecurity is reduced, this structure counters the narrative that the CEO doesn’t respect the organization's security or the recommendations of the cybersecurity team.

2. It gives the CISO a direct line to the top - Nothing says trust more than having a seat at the table. When the CISO reports to the CEO, they have direct access to the highest level of leadership in the organization. This allows them to communicate cybersecurity risks and concerns directly to the CEO and to get the resources and support they need to protect the organization. It also sends a message to all employees that cybersecurity is essential.

3. It aligns cybersecurity with overall business goals. When the CISO reports to the CEO, the CISO will be involved in strategic decision-making related to business goals. Those business goals are essential for the future of the business, and cybersecurity is an aspect of that success. For example, what would happen if a massive data breach took down your production servers during a crucial product launch, delaying the launch by a quarter or more? Given our digital, interconnected world, ensuring you are well insulated from those possibilities is needed. Drawing the linkage between cybersecurity and overall business goals underscores the importance of cyber, and having the CISO present for business goals demonstrates the organization’s support for cybersecurity.

Bottom line: Cybersecurity teams are critical for an organization’s success. Building trust helps ensure they are set up to outperform. Having your CISO report to the CEO is a great way to build trust!

Conclusion

To stay ahead of cyberattacks, many organizations need a cybersecurity team. But just having one isn’t good enough — the team must consistently perform well. If they are underperforming, the good news is that you can fix it by making cultural and structural changes throughout the organization at the team, organizational, and executive levels. Creating a communication culture based on clarity will help prevent misunderstandings, establishing operational lanes for personnel will help eliminate confusion, and ensuring your CISO reports to your CEO will build trust by demonstrating your commitment to cyber. If these critical changes are made, your cybersecurity team can keep the company safe while enabling the achievement of business goals — something everyone can get behind.

Magic Mirror on the wall, who is the fairest one of all… and should I share this article with them?!

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD