Connect with us

Hi, what are you looking for?


Management & Strategy

Seven Attributes of a Great Security Team

Lessons from a great tour guide can help you in your efforts to improve your organization’s security posture

Lessons from a great tour guide can help you in your efforts to improve your organization’s security posture

I recently took a week off of work and toured around with my family. We are very fortunate that my father-in-law is an amazing tour guide who generously volunteered five days of his time to show us many wonderful sites. It was a great experience.

There are, of course, a number of attributes that make him such a wonderful guide.During the five day tour, it occurred to me that we can learn several security lessons by analyzing these attributes. What do I mean by this? Here are seven attributes that make both a tour guide and a security team great:

1. Sincerity: When a tour guide believes what they are sharing, the tourists pick up on that sincerity, and they are better able to internalize what the tour guide is telling them. Similarly, when a security team believes in the principles it is preaching, and those principles are practical, logical, and sound, the enterprise will pick up on that sincerity. This bolsters the security team’s credibility and allows it to work more effectively with the enterprise.

2. Passion: When a tour guide is passionate about the topics they are presenting, that comes across to those on the tour. On the security side, when a security team is passionate about improving the enterprise’s security posture, that drive to improve upon the status quo resonates with the enterprise. The enterprise will be more willing to work together on various issues and challenges with a passionate security team than with one that appears to be “phoning it in.”

3. Energy: Giving a great tour is exhausting. Nonetheless, the guide needs to push through and keep the energy level up. The tourists would certainly take notice if that were not the case.  Along the same lines, a security team needs to drive its efforts to secure the enterprise with a consistently high level of energy. Failure to do so calls into question the importance of security initiatives, which, in turn, reduces the enterprise’s willingness to work alongside security to move those initiatives forward.

4. Humor: Humor can be a great tool when used properly.  Tour guides may use it to make a moment more memorable or to drive home an important point.  Security teams can use humor to diffuse difficult, tense, or uncomfortable situations, to convey humanity and emotion when dealing with difficult topics, to gain support and buy-in, and/or to help emphasize an important point.  A well-placed and well-timed joke goes a long way towards helping a security team improve its organization’s security posture.

Advertisement. Scroll to continue reading.

5. Knowledge:  When a tour guide knows their stuff, it shows. Though not all tourists pick up on this, many do.  Those who have spent more than a few years on the business side know very well how to spot a security team that is not knowledgeable. If the security team knows its stuff and uses data and logic to drive decisions rather than emotion and intuition, the business will pick up on that, and that builds trust. That trust translates into a willingness to collectively and collaboratively solve problems that is so vital to the success of the security program and, in turn, to the success of the business.

6. Be current: When research is conducted and new information comes to light, the understanding around a historical site may very well change. A good tour guide is up to speed on the latest developments and knows how to work those into the tour.  Similarly, risks and threats to the enterprise evolve constantly. The sharp security team is able to track the evolving threat landscape and factor that new knowledge into its strategic, operational, and tactical efforts.  Astute stakeholders on the business side will pick up on and appreciate this, which will make them more willing to participate as active stakeholders in security efforts.  The result is a more secure and better protected enterprise focused on supporting, rather than inconveniencing, the business.

7. Know your audience: A speech or presentation that a guide gives to one group may fall flat to a different group.  Similarly, when a security team is presenting itself, its strategy, its goals and priorities, its metrics, and/or its plans, it needs to understand with whom it is speaking. Management, executives, and the board are most likely interested in understanding risk – those risks that may cause the enterprise to suffer a financial loss or significant brand damage.  Stakeholders on the business side, on the other hand, are most likely focused on their particular bailiwick or line of business operating in as profitable or effective a manner as possible. In a similar manner, other stakeholders have their own priorities that they bring to any discussion or effort. The security team that understands their audience can tailor their efforts and the presentation of those efforts to make them palatable to the audience they are being presented to.

Whether or not you’ve recently participated in an organized tour, the lessons from a great tour guide can help you in your efforts to improve your organization’s security posture. Above are merely seven of the qualities that I believe translate from guiding a group to securing an enterprise. I believe it quite likely that you will likely be able to add a few of your own as well.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Security and Fraud Architect at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.