How to build a cybersecurity team

Building a cybersecurity team to address growing security threats can be challenging. Learn how some companies are tackling the issue.

Cybersecurity professionals are bracing for continued attacks this year, effectively boosting their budgets by an average of 21%, according to the 2017 Cybersecurity Trends Report published by the National Center for the Midmarket.

These cybersecurity professionals are focused specifically on cloud infrastructure, training and educating end users, and securing mobile devices.

While concerns around cybersecurity are high, more than half of midmarket companies operate with limited to no strategy at all. 

Adding to the issue is the fact that cybersecurity is ever changing, according to Brian Hill of Computer Forensic Services. Technology offers convenience, but “every time we gain convenience, we give up something in security,” he said. 

Gone are the days when an attack was the final wake-up call for companies to allocate IT budget towards security staff and strategy. 

In 2017, cybersecurity requires a dedicated full-time team.

Security is everyone’s business

Kip Bates’ role as the director of cybersecurity and strategic initiatives at the University of California in Santa Barbara evolved significantly from the early 1990s when he was hired to establish a computer network and support a computerized maintenance system. 

Now, more than 14,000 devices in the university’s residence halls alone access the school’s network. From a security strategy development standpoint, the watershed cybersecurity moment came with an alert from federal authorities to investigate a specific machine using one of the university’s IP addresses. 

What followed was a year-long process of recovering from a cyber attack by the Iranian government known as Operation Cleaver.

There were several speculations by authorities around the intent of the attack, but Bates said nefarious reasons included intelligence gathering for a potential kidnapping of a student or students related to renowned Middle Eastern oil barons.

Following the attack, information security officers were strategically placed in critical organizations across the campus’s centralized IT division. 

“We’re of the opinion that security isn’t my job; it’s everyone’s job,” Bates said. 

Staff up cybersecurity teams from the inside

At Boston-based MathWorks, IT director Jim Habeeb had only a part-time security team composed of networking specialists and various IT staffers. He sat down with the CFO and president, who now sits on the company’s security advisory team, to persuade them to hire a full-time chief information security officer (CISO) who could then help develop a hiring plan.

After advertising for positions to build the security team, Habeeb opted to post the positions internally. 

“Highly skilled staff require a premium salary, and you want to be fair to your internal staff to expand their skills,” he explained. “When you hire from the outside, it can be hard to get someone who wants to hit the ground running in the best interest of the company rather than doing what they already know or are familiar with doing.” 

Build partnerships across business lines

When Jeff Sullivan assumed the role of director of enterprise IT for American Advisors Group in Orange County, California, just over a year ago, the security team consisted of two individuals: an information security officer and a network administrator.

Sullivan has since doubled the team in the company’s corporate office, but it was challenging to find and hire skilled staff because of stiff competition in the Greater Los Angeles area. 

Then came the challenge of determining what to focus on.

The team conducted a vulnerability scan of the company’s network environment and examined the perimeter for gaping holes. It then worked with risk management and legal counsel to prioritize what information to protect and what’s risky enough to ignore. 

“We’re trying to balance our team with managed services and leverage key vendors to ensure we’re protecting our environment,” Sullivan said. “With information security, you simply don’t have the luxury of time.” 

IT executives still working to build their cybersecurity teams have a host of programs that can help, including CompTIA Security+ and Parameter Security’s Hacker University.

NEW! Download the Fall 2018 digital issue of CIO