One of the main questions (ISC)2 sought to answer with a new study, Building a Resilient Cybersecurity Culture, was what makes a good cybersecurity team, especially in an industry that suffers from a shortage in its current workforce. How do organizations go about building and strengthening the team?
It’s clear from the study’s findings that management’s attitude toward the team – and toward cybersecurity as a whole – is related to the team’s success, confidence and ability to do their job without worrying about lack of budget or support from the top.
Going in, we already knew the respondents in the poll had confidence in their team – that’s why they were chosen for the research. So it was no surprise to us that 100% of respondents said “yes” to the question: “Does your organization do an adequate job ensuring you have enough cybersecurity expertise on staff?”
With that as a starting point, we could try to put together a clear picture of what makes a successful team.
Asked about attributes they view as important for cybersecurity team members, here’s how respondents prioritized them:
- Skill and knowledge of the company’s technology - 72%
- Knowledge of security best practices - 65%
- Understanding of company processes, data flows and controls - 63%
- Knowledge of cutting-edge technology solutions - 60%
As noted in an earlier blog, respondents also placed high value on hiring people with cybersecurity certifications, promoting and training from within, and cross-training on cybersecurity skills and responsibilities.
One of the common problems cybersecurity staffs face is not being heard by top management. Studies have shown executives often don’t understand risks or the need for protection and, as a result, fail to properly invest in the needed technology and expertise. But in the polled organizations, the reality is markedly different.
For one thing, cybersecurity is an IT budget priority – or considered very important – for these organizations (96%). In addition, overwhelming majorities said top management understands the importance of strong cybersecurity (97%) and that team policies align with their board of directors’ cybersecurity strategy (96%).
In companies that employ a CISO (86% of those surveyed), 57% of the time this executive reports directly to either the CEO or the board of directors, a sign that the CISO has the ear of top management.
The Big Picture
When you put all these findings together, here’s the picture that emerges: An effective cybersecurity team gets the support it needs from management, is given the right level of responsibility and training to do its job, and feels management listens to advice from the team and the CISO.