On Integrating Your Cybersecurity Team and Cybersecurity Function: A Three-Part Series

Pythia Cyber is uniquely focused on the behavioral and organizational conditions that determine whether cybersecurity investments produce cybersecurity outcomes. We focus on cybersecurity talent at the engineer, manager, and leader levels, and on the culture and talent strategy that surround them. Brendan refers to this as TAU: the systems, processes, and talent implementation strategies that create cybersecurity.

You can't hire your way to better cybersecurity if your systems, processes, and talent implementation strategies are inadequate and misaligned. You can't organize your way to cybersecurity through systems and processes that are under-executed by less-talented personnel, managers who can't connect with their teams and stakeholders, or leaders who can't lead.

You need talent and you need a talent strategy. And you need the people running cybersecurity to be "bilingual."

Cybersecurity leaders are translators by necessity. They face downward into the technical reality of threats, controls, vulnerabilities, and operations, and they face upward into the executive reality of risk, governance, capital allocation, and strategic decisions. The downward language is what most cybersecurity leaders were trained in. The upward language of risk management, executive translation, strategic framing, board-level recommendation is the language most cybersecurity leaders are weakest at, and the one that most determines whether cybersecurity gets a seat at the strategy table.

Most cybersecurity discussion lives at the necessary and required technical layer of controls, threats, tools, and incidents. But the gap between organizations whose cybersecurity programs produce outcomes and organizations whose programs do not is rarely a technical gap, it is an organizational strategy gap. The pieces in this series examine three dimensions of that strategy gap and what to do about each.

1. The Other Half of the Cybersecurity Talent Problem

We provide an extension of Eric Cole's The Cyber Talent Lie.

Cole is right that the industry's talent shortage narrative is masking strategic failures in how organizations recruit, develop, and retain security professionals. We extend the argument: solving the supply-side talent problem for the security team is necessary but not sufficient. The behavioral risk surface across the broader workforce, the 95 percent of employees who don't work in security but whose daily decisions determine actual organizational risk. It's a second talent problem that no security team alone can address. Resilient organizations work both layers. The translation work happens at the seam between the cyber-doers (the technical workforce) and the cyber-overseers (the executives and boards making decisions about resourcing, risk, and strategy).

Read this if: You are thinking about cybersecurity talent strategy, security team retention, or the relationship between security investments and security outcomes.

2. The Trauma Team and the Specialty Clinic

On rethinking how cybersecurity work gets organized.

Most cybersecurity organizations are structured like hospital specialty clinics, discrete functional teams (SOC, IR, GRC, AppSec) with their own leaders, metrics, and budgets. Work flows through routing and handoffs. The model has virtues, and it also has a failure mode: the seams. Acquisitions, product launches, vendor onboardings, and incidents fall through the gaps between functions. We propose a hybrid: a thin functional spine for continuous work, plus mission teams that form, run, and dissolve around bounded objectives. Mission teams require T-shaped or M-shaped talent profiles, which suggests the cybersecurity industry should be recruiting more aggressively from fusion cells found in adjacent fields (military, intelligence, law enforcement, finance, operations) rather than relying on the narrowing pool of conventionally credentialed candidates.

Read this if: You are reorganizing a security team, struggling with cross-functional cybersecurity work, or thinking about how cybersecurity should be positioned in your operating model.

3. What Organizations Should Expect from Cybersecurity Leaders

Adapting JP Elliott's "decision leadership" framework to cybersecurity.

Most CISOs are technically excellent, which is real and necessary. Decision leadership is what sits on top of that baseline where the incumbent needs four capabilities: ask questions that change the direction of a strategic conversation, frame decisions so the real choice is visible, surface trade-offs before decisions are committed, and bring a recommendation rather than just an analysis. These are upward-language capabilities -- the risk management dimension of cybersecurity leadership -- and they are the dimension most cybersecurity development programs neglect. Organizations should expect these capabilities from their cybersecurity leaders, and cybersecurity leaders moving into senior roles should be deliberately developing them. The four capabilities determine whether cybersecurity is a strategic function or an operational one.

Read this if: You are hiring, developing, or evaluating senior cybersecurity leaders, or moving into a senior cybersecurity role yourself.

How the three pieces fit together

The three pieces share a common claim: cybersecurity outcomes are determined by organizational conditions that most cybersecurity discussion never name, so we're naming them:

• The first piece names the workforce-wide behavioral conditions that determine whether security investments translate into security outcomes.
• The second piece names the structural conditions (how work is organized) that determine whether cybersecurity functions can act on what they see.
• The third piece names the leadership conditions that determine whether cybersecurity is in the strategic conversations where decisions are made.

Organizations that produce strong cybersecurity outcomes are the ones that treat cybersecurity as an organizational problem rather than only a technical one, and the ones whose cybersecurity leaders are fluent in both languages: the technical downward and the risk-management upward. The behavioral risk surface, the structural design, and the leadership capability all need attention. Risk grows where attention is not paid to all three.

Ask us how we work with organizations to reduce risks through aligning cybersecurity talent and strategy.

(image credit: NPS Photo, Public domain, via Wikimedia Commons)