We have a major shortage of qualified cybersecurity professionals. This is not a new realization and it is one in which the community general agrees. What isn’t talked about as much – but should be – is a cyber team’s dynamics and its impact on performance.
Cyber defense is a team sport, akin to basketball. As it is with basketball, you need to have the right mix of players, teamwork and a solid set of offensive and defensive plays to rely on and adopt when the opponent takes control of the court. You don’t want five Michael Jordans, five centers, or five point guards. You need the right composition of team skills, work roles and integrated team performance. Your elite cyber defense team needs to actively communicate, pass the bits of evidence around, develop the big picture strategy and be able to adjust to different adversaries.
I have trained and assessed some of the best corporate and military cyber defense teams in the nation. Inevitably, they come to me as a group of very well trained individuals, who generally are quite well versed in one tool but don’t understand, or even realize, that there is another teammate next to them. I like to think of them as soda straws. When I initially meet these teams, I work to find out who are multi-taskers, who are detail oriented, who are tenacious and who think ‘outside-the-box.’ I sort each individual into their technical cyber personality and begin working to help them reach their full potential.
When I first started assessing cyber teams, I participated in large scale cyber exercises with over 25 teams, marveling at the uniqueness of each one. They were different sizes, used different tools, were organized in different forms and, as you can imagine, performed very differently. Obsessed with trying to understand what the best team structure was and whether certain tools drove their exemplary performance, I asked them how they performed so effectively and fluidly – ‘what makes you a top team?’ I soon realized as with all complicated problems, there was no obvious answer, but there certainly were trends and lessons learned that I was able to take away from the experience.
A high performing, elite cyber defense team needs to have representation across the technical personalities I described above. They need ‘multi-taskers’ who can visualize the network and manage the various sensors and tools to aggregate the logs from the firewalls, Active Directory, Network Security Monitoring systems and host-event data. ‘Multi-taskers’ brains are wired specifically for this.
A high performing team also needs the detail oriented ‘perfectionist’ who can pore through and understand the router configurations, firewall rules and policy settings across all devices. The ‘perfectionist’ validates that the enterprise is configured as advertised. Due to the ubiquitous hacking attempts and breaches we see today, a high performing team must also employ tenacious, ‘out-of-the-box’ cyber hunters. These personality types can sense that somehow the adversary is on the network; they just need to find them. They know that skilled adversaries can by-pass defenses and hide patiently in all kinds of unusual places.
And last but certainly not least, a high performing team must have personnel who can put it all together. This person can sense the importance of one artifact and lead the team to finding more evidence of the intrusion kill chain. With these four personalities, the team has leadership skills, technical depth in one or more cyber arena, and a deep understanding of the use of cyber threat intelligence data – making it a winner, like the 1996 Chicago Bulls!
In this world of daily cyber-attacks costing billions and wreaking havoc in our corporate boardrooms, we need to step back and take stock in what we have. It’s not just more people or more tools, although both can help; it is about connecting the dots, building the strategies, and adapting to the adversary by creating the best team to operate and understand the key business cyber terrain across the enterprise.
To build effective teams, we must bring talented individuals together, pull apart the soda straws and assess their technical personalities, and leverage their strengths to accomplish a common goal and complete missions oriented towards defense.