Rethinking How Cybersecurity Work Gets Organized

Most cybersecurity organizations are structured the way hospitals organize specialty clinics. Discrete functional teams (SOC, IR, GRC, AppSec, vulnerability management, identity) each with their own leaders, metrics, and budgets. Work flows through routing and handoffs. The model builds deep expertise and clean reporting lines, and it is the structure most CISOs inherited.

Its failure mode shows up at the seams. The acquisition integration that needs SOC visibility, IR readiness, GRC sign-off, and AppSec review of inherited code moves through four functions on incompatible timelines. The product launch that needs threat modeling, control implementation, monitoring tuning, and incident response plans gets each piece from a different team. The vendor onboarding becomes a series of parallel reviews that finish weeks apart. By the time anyone sees the whole picture, the picture has changed.

The pattern isn't a failure of any individual function. Each function is doing its job. The pattern is a failure of organization -- of how cybersecurity work is bounded, assembled, and accountable.

Consider an alternative model. Hospitals don't run all their work through specialty clinics. When a trauma case arrives, a small team of specialists with complementary capabilities forms around the case under unified command, works the case to stabilization, and dissolves. The trauma team is an organizational unit that exists for the duration of the engagement, not a permanent structure with stable staffing. The empirical record on this model is strong: structured trauma teams produce better outcomes than service-by-service care across multiple performance dimensions (Georgiou and Lockey, 2010). The same idea appears with different lineage in fusion cells, the intelligence-community structure for analysts, operators, and technical specialists working a bounded mission under unified command. The principle is the same: organize around the mission, not the function.

Cybersecurity has missions. The acquisition integration is a mission. The product launch is a mission. The active incident is a mission. So is the regulatory examination, the divestiture consolidation, the major systems migration -- all missions. These are bounded engagements with defined success criteria that don't fit naturally into a structure designed for continuous functional operations.

The proposal isn't to dissolve the functional structure. Some cybersecurity work is genuinely continuous, such as 24/7 monitoring, baseline identity governance, steady-state vulnerability management, and the specialty-clinic structure is the right home for it. The proposal is a hybrid: a thin functional spine that sustains continuous capabilities, plus a portfolio of mission teams that form, run, and dissolve around bounded objectives. The interesting design question for any CISO is which work belongs where.

What this means for the CISO as change manager

Three things have to be built deliberately for mission-organized cybersecurity work to function.

Recruit aggressively from adjacent fields. Mission teams need people who bring diverse problem-solving experience, comfort with ambiguity, operational discipline under pressure, and the ability to work across domains they don't fully control. Those capabilities are abundant in candidates from military service, intelligence, law enforcement, finance and risk management, operational consulting, and engineering disciplines outside cybersecurity. The industry has too often treated these candidates as second-best to credentialed cybersecurity natives, when they bring exactly the cross-domain capability mission-organized work requires. For the next five to ten years, building a cybersecurity leadership pipeline will require systematic recruiting from adjacent fields rather than competing in a thin market for conventionally credentialed candidates. The native and the cross-domain hire aren't in tension; mission teams need both.

Build rotating leadership. The mission lead is whoever has the right combination of authority and context for that mission, not whoever holds the senior functional title. This depends on real psychological safety, the kind where a senior person can take direction from a junior person without it being a status event. Most cybersecurity organizations don't have this condition by default; it has to be built deliberately, and it depends on behavioral conditions across the team that are measurable but rarely measured.

Make accountability travel with the mission. Functional metrics (alert resolution times, vulnerabilities closed, audits passed, etc.) are inadequate for mission accountability. Mission teams need to own mission outcomes, which means the executive layer above them needs to understand what those outcomes are and resource them accordingly.

What this means strategically

The harder change is in how the rest of the organization understands what cybersecurity is for.

The functional model invites a particular kind of executive conversation. Strategic decisions are made by the business, and security is brought in to assess and implement after the fact. This is the dynamic where security gets treated as "the department that says no," a dynamic that has more to do with how security is positioned in strategic conversations than with how teams are staffed.

A mission-organized model invites a different conversation. The portfolio of missions becomes visible at the executive level. The acquisition integration mission has an owner, a team, an outcome, a timeline, and a resource envelope. The business sees what cybersecurity is doing not as a black box but as a set of named engagements tied to outcomes the business already cares about. This makes cybersecurity legible to executives in a way the functional model rarely achieves, and legibility is what unlocks strategic resourcing.

It also changes the incident conversation because incidents become missions. The team that forms around a serious incident isn't an interruption of normal operations, it's the same kind of organizational unit the company uses for other bounded high-stakes engagements. The cultural status of incident response shifts from "the alarm went off" to "we activated the team."

What we're working out

This is a concept post grounded in a century of behavioral science, not a finished prescription. Three open questions deserve their own pieces: how missions are bounded and chartered at different scales (incident, initiative, program); what behavioral preconditions (psychological safety, role clarity, cross-functional trust) make mission teams actually function; and how to design the hybrid structure that determines what stays functional and what becomes mission-organized. We'll address these in subsequent posts.

Ask us how you can integrate your missions into your organizations.

(image credit: By Dani Safa Adi Nugraha - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=186196453)