The ’53-Man’ Roster for Security (Part 1 of 3)

In Cyber Security, Leadership by Endre Walls

Those who know me know this is my favorite time of the year - American football season has begun. Without question I'm a football enthusiast, most people (including my wife) would describe me as a fanatic. I love the sport, and I have since I was 6. I love its complexity, its variety, and its ability to be different and entertaining from week to week without fail.

This first week was no exception...last season's Super Bowl champs lost to a Detroit Lions team that looks like it's ready to run the table, the Giants got blown out (like REALLY blown out), the Browns seem to have found their "dog pound" roots, my Eagles squeaked out a win, New England looks like they might actually have a solid defense this year and the Bills might not be who we thought they were after all. 2023 will be epic!

The sport has taught me lessons that I've applied to my leadership journey. In an article I posted on LinkedIn I shared what Superbowl LVII taught me about being overcommitted to a strategy and the importance of flexibility as a leader. In this article I'm going to discuss applying the concepts of the 53-man roster in football to security organizations.

Unlike every other sport on the planet, American Football requires a really large group of people to be on the same page and work with purpose to win a single game. And there are 17 games (now) in a season not including the playoffs. Everyone working together in a concerted effort to win for themselves, their organization, and the city they represent. When you think about it, the sport is a pretty great place to take notes on leadership from.

Running a security organization is no different from coaching a football team, in my experience. You essentially have 3 organizations within your organization, each with a different purpose, but each needing to own their individual strategies and an ability to link them to the larger organizational strategy for consistent success. A collapse of one of the 3 sub-organizations doesn't have to be catastrophic, but sometimes can be, which requires both an individual ownership mentality and a team-first mentality. This is unique both in sport and in the business world, making security organizations very complex structures to lead.

So, let's talk about what a good security organization's roster would look like. And before we start - no, I'm not suggesting security organizations need 53 people to be successful; quite the opposite actually, there are roles that you need to have in place that you would staff dependent on the size and scale of your organization's risk profile and appetite.

I'd break these roles down into 3 sub-organizations: special teams, offense, and defense. This week we'll focus on special teams.

Special Teams

I'm starting with special teams for a reason - in football they start the game. Special teams help determine both the offense and the defense will start. Done right special teams can set either the offense or the defense up for success in achieving the long-range goal.

For a security organization, Special Teams would involve technology risk management and security program management resources. One individual could theoretically handle both roles in a smaller organization, but these roles would be too cumbersome in a larger organization for a single person to handle. In an organization handling regulated data, PII, or NPI with over 2000 employees, these should be 2-4 person teams. 

Technology Risk Management resources are aligned to the business units in ensuring cyber risk is articulated, quantified, measured, and appropriately analyzed. In some organizations these resources might exist within a separate enterprise risk management department. If this is the case in your organization, your alignment with a CRO or other independent risk leader is critical. Helping that individual account for and realistically measure cyber and tech risk in your organization is key to ensuring the effectiveness of your security program, and you should make sure to articulate this criticality with that leader so there's synergy and connective tissue between your departments. In most organizations, this is a resource that should live within the security org.

Tech Risk Management, as an organizational discipline, should be focused to both internal and 3rd party assessments of risk, maturity, readiness, and mitigation. This discipline also covers tabletop exercises, risk register management, and access reviews for the organization. Larger organizations would benefit from their Tech Risk Management group handling awareness training and educational programs internally.

SIDEBAR: Now...if you're not doing the things I mentioned above, this would be a good time to start. You should continuously monitor and document your organization's risk profile both from the organizational standpoint as well as technical, and then leverage 3rd parties to check you on remediation and to gauge your maturity. Access reviews are absolutely critical to any mature security program and help to ensure the effectiveness of your program's role-based access control mechanisms. I discussed this in an article in Security Current that's definitely worth a read. 

Tech Risk Management resources should also be tuned to vendor (3rd party) and solution provider (3rd and/or 4th party) risk to ensure the organization's risk profile is fully disseminated within the risk register. Vendor risk management should be your bread and butter for your security program, in my opinion...everyone has to work with vendors. Making sure your vendors are effectively managing their controls, adhering to a standard, and working with your security organization transparently should be a priority for your tech risk resources.

Tech Risk Management is the kickoff team when compared to football - their job is to place the organization in the best position possible to reduce risk and make it more difficult for identified risks to succeed. They prevent the advance of the adversary and leverage policy to close gaps that would allow an adversary to score on a kickoff. 

Security Program Management is essential to a security organization. Program managers help to focus and align the security organization's policies and practices with the operating processes of the business relative to both assessed risks and operational realities. I've mentioned before the criticality of CISOs becoming more business aligned - program management is where the rubber meets the road for a business-aligned security organization.

In smaller organizations this is likely a single security program manager. In larger organizations this might be a team of people who handle both security projects and the programmatic aspects of an enterprise security program.

The program management function handles policy development, alignment of the program to a particular standard or regulatory framework, development of playbooks/process/procedures, and project management for security-aligned implementations and projects within the organization. Program managers in this space are project managers with deep awareness of the cybersecurity discipline. They should be business-aligned and able to break down technical concepts that the entire organization can consume.

The Security Program Management function is similar to the kicker - their job is to execute the plan, and in doing so, preventing the adversary from succeeding without having to work twice as hard to do so. Remembering, of course, that a security issue is a matter of "if" not "when", but a good program makes that "if" limited in scope and depth and minimizes the damage when done properly.

Is outsourcing realistic?

For smaller organizations, outsourcing is realistic, but likely more costly than having an internal resource. The reason? Risk management resources have to be very closely aligned with the business. That alignment requires deep relationships that can be tough to build through interviews alone; not to mention, agile businesses that change frequently will find themselves with risk resources constantly trying to catch up, and that can slow execution speed for the business. The same is true of program management, in my opinion.

The other teams we'll discuss, offense and defense, can be outsourced, if necessary, but special teams represent an internal investment all security leaders should make for their organizations.

See you next week!