Get Started

Cybersecurity is a team sport, so who are the players?

  • 3 min read

Share this post

Orchestrating a Cybersecurity Program
Orchestrating a Cybersecurity Program

It’s back to school time (parents, try to conceal your understandable excitement).

For my 11-year-old son, the best part about going back to school is playing cello in our town’s middle school orchestra, a spot he earned over the summer despite (pardon me while I brag) being a sixth grader in competition with 7th and 8th graders.

In case you’re wondering, to whatever extent he is gifted musically, it comes from his mom. I play no instruments (unless you count piano lessons as a kid and some guitar in high school) and have not touched one since the turn of the millennium.

But I do enjoy his concerts. In particular, I like watching the conductor. While I don’t fully understand all that is happening, I marvel at the man’s ability to coordinate the various players and instruments — in real time, no less.

The truth is, orchestra is the ultimate team sport. Not only do the musicians have to work in unison (true of any successful team), but if they don’t — because somebody is off-key, off-beat, or late to join in — the mistake is immediately obvious to everyone who is listening.

Cybersecurity is a Team Sport, Too

Although not nearly as enjoyable to listen to, cybersecurity is also a team sport, one that likewise requires a great deal of real-time coordination.

That’s because unlike many other functions within a company, cybersecurity touches nearly every corner of the organization – legal, customer support, marketing, HR, senior management, etc.

Especially in situations where a security incident occurs, the pieces need to work together, quickly and in a coordinated fashion. Nothing can be done in isolation.

Many Instruments, One Symphony

To ensure that your cybersecurity program is properly staffed and (ahem) wellorchestrated, you will need the following roles…

Executive Sponsor. As I have written about before, this person is plugged in, believes in the program, and has both the influence and the commitment to make it happen. In most cases, the executive sponsor is the Founder or someone with the letter “C” in their title (CTO/CEO/COO).

Technical Lead. This is typically the CTO, VP Engineering, CIO, or a technical director (sometimes, it’s the executive sponsor). They are the lead, but since this person’s time is often extremely limited, they need to be able to delegate to others.

Technical Doer. This person may have a variety of titles — software developer, IT administrator, DevOps engineer, etc. — and is the one who takes charge of updating and configuring software, adding/removing users, and other hands-on technical tasks.

Administrative Lead. I wrote about this person before, too. In short, they know how to keep things on track and how the organization really runs. All the processes, all the important documents, all the key players, etc.

We look for an individual contributor whose domain expertise is the organization itself. Their title is unimportant, as long as it’s someone who has excellent attention to detail and is well connected internally.

Compliance TeamThese folks may or may not be explicitly part of your cybersecurity team, depending on your industry and the nature of the work you do. There may be a specific compliance person, some involvement from legal, or no one at all. Compliance could be around privacy, cybersecurity, or tied to other business activities, such as conforming with requirements related to financial or health care aspects of a company’s industry.

Broader Team. Others who play a role…

  • SalesWho handles security questionnaires from prospects?
  • Marketing. How do you position your solution in a way that says you are secure? (Claiming “Military Grade Encryption” on your website is a sure sign that you are not!)
  • Legal. Who reads the requirements in the customer contract? Who signs off on messaging when your organization has had a cybersecurity incident?

Whew. Like I said, there are many players required to keep things running smoothly!

Start Where You Are

I know, it can feel a bit overwhelming.

The good news is that you don’t need an in-house security expert at your company to get started. What you do need is an executive sponsor and a group of folks that care about security and are committed to improving it.

Agree to meet weekly and start with some of the basics, such as multifactor authentication, training to help employees spot and avoid phishing attacks, and establishing a process for removing network access from past employees, consultants, and contractors. If you are a little more advanced, pick a set of controls from the alphabet soup of control frameworks listed here.

It need not be perfect; the more you do, the better off you will be. (Hint: When you start hearing music in the background, you’ll know you are on the right track!)

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black
Rob founded Fractional CISO in 2017 and has helped dozens of mid-size SaaS and technology companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).

Tales From The Click

Sign up for our monthly newsletter for business leaders on minimizing cybersecurity risk.

Suceed at SOC 2

Free eBook:
5 Things to Know for your First SOC 2

  • How to scope your SOC 2
  • Estimate the cost and length of your SOC 2
  • Prepare for your SOC 2
  • Manage the SOC 2 audit period
  • Leverage your SOC 2 for growth

Related Posts

Just Show Up

Rob Black

The NIST Cybersecurity Framework is Secretly a Communication Framework!

Elazje Carillo

What to Know About Encryption Now, at the Dawn of the Quantum Era

RJ Russell
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales