Security leaders should aspire to have smaller orgs
It's about efficiency not size
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I regularly am asked how to hire an effective security leader. People go through a list of attributes they want, such as strong leadership skills, certain types of experience, management abilities, etc. Having been a first security hire at two high-growth startups now, I tell them that they are getting ahead of themselves. The first question that I usually ask is the following:
How big is your current organization?
How fast are you going to grow?
What are your goals for the security program?
Of course, the last bullet point is the hardest to define but also the most important. The first two bullet points set the context for the third. Someone can find the right profile of security leader only after establishing the goals. It’s okay to not know what the goals of the security program should be. As a result, you should hire someone who knows how to create the goals for a company of your size and current state. Ultimately, the advice is simple: Hire someone who makes sense for your company. What works somewhere else doesn’t mean it’ll work well for you. For example, a CISO at a Fortune 500 might not be the best security leader for a high-growth startup.
Anyway, the point of this post is not to discuss my thoughts on security leader hiring at companies but rather to talk about one of the goals I believe should be part of every security program regardless of size: efficiency. It’s also a trait that companies should probe about when they are hiring a security leader.
Why care about efficiency?
The question should be why not? There’s a tendency for security teams to use FUD to get more budget and “empire build.” However, historically, it’s shown that these efforts don’t yield positive results. Many times, it leads to security bloat, mistrust, and eventually the downsizing of security teams. Too often, I see security leaders say “Managed a 200-person security organization” or “Built and managed an organization from 100 to 500 people.” Although this shows that they have experience building and managing large organizations, the question is whether that’s necessary.
In the past year, there has been a larger focus on efficiency in many organizations due to macroeconomic conditions. Unfortunately, security has been also hit, probably less so than others, but it wasn’t unaffected. In many companies, security is seen as a cost center that tries to get resources, but I’ve talked in the past that security organizations should move past an operational model and figure out how to deliver value. (I do think this is very possible as security can drive business, e.g. Apple selling their privacy and security measures.)
Finally, bloated organizations are challenging. People end up not doing meaningful work, and this can create issues in bloat as well as make people feel stuck with skillsets that aren’t transferable. A common problem in security is that someone can be working too closely with a tool, which makes his/her skillset difficult to transfer.
Overall, efficiency is good for both the team and the company.
How do you measure efficiency?
I want to preface this by saying that some security leaders might need large organizations, especially in regulated industries such as healthcare and financial services. However, it’s important to understand the mentality of a security leader.
Are they looking to always get more resources to solve problems? Are these problems self-created? How are they looking to improve their operations? How do they think about efficiency? These are all important questions to ask.
The tough part about efficiency is that unlike product engineering or other engineering disciplines, security is hard to measure. It’s not impossible but difficult. It becomes especially hard when the executive team thinks about security in a binary way, i.e. a team is only successful if there are no security incidents. Part of the job of a security leader is to create the right expectations for the executive team. He/She should be talking about security capabilities, coverage, and resulting risk in various segments. The leader should then discuss how resources can increase capabilities and coverage and thus reduce risk, aligning with other leadership on whether this is a good investment. On the other side, executives should ask if security needs certain capabilities and coverage and ask for an honest assessment of risk. This type of interaction should be core, and a company should find a leader who can properly engage in this type of discussion.
Of course, this is hard to understand in isolation or talking with one security leader. One way to measure this is to ask a leader to pick a specific program that he/she developed and ask about the capabilities, coverage, risk, and resources. Then, you can compare this against another security leader’s answer. It’s important to ask if this could have been done with fewer resources or why it required so many resources. It’s up to the hiring team to decide if this is a good answer.
Why is security sometimes inefficient?
The short answer is that the company lets security be inefficient and doesn’t provide proper accountability. Many times, this is the result of hiring the wrong leader, and it’s very easy for inefficiency to compound.
Here’s a common scenario. A company buys a complicated tool, and as a result, they need to staff several analysts and take engineering time to configure it. With more staff requires more people management and coordination, which requires hiring, etc. However, if they had bought a more modern and automated tool, which might have cost a bit more, they wouldn’t required as many resources for a similar outcome. Overall, the cost would have been lower with issues with staff.
Honestly, this issue is common in security as sometimes security is too solution-driven. They focus on the solution that they want to buy rather than whether it’s solving the right problem. (This is also problematic for the security industry because this has led to product bloat where cybersecurity companies sell products that companies don’t need.)
Part of the issue is that the leader and organization aren’t knowledgeable enough to understand and solve the problem, assuming the product and solution will do it for them. As security risks become more technical, this is becoming a larger issue as security is forced to address issues that they don’t fully understand and as a result, they buy a tool, hoping it’ll address the problem. Many times, the tool doesn’t solve the problem but creates overhead that now requires resources to manage.
What are some good practices here?
We should stop talking about how large our organizations are, but instead, we should focus on how we are solving problems. Sure, some problems require more resources, but not all of them require large amounts. Security leaders should also regularly look at their organizations and decide whether they are operating efficiently. Creating efficiency builds trust with the company and shows that you’re a valuable business partner.
Overall, building an efficient security organization should only be as important as building an effective one. We should strive to hire leaders who can solve problems not just hire staff so that they can delegate problems and manage a bigger organization. This will benefit the team, the company, and the cybersecurity industry as a whole.