Who In The World? Intro To Mapping Talent To Your CSP Stages

It is very tempting to assume that putting together a cybersecurity team is like assembling individual photos to create an intact image. Once again, assumptions are dangerous.

Groups of people are not teams. It's very easy for managers to think that people in a group will behave like a team because you've all had lunch together or you're all Sagittariuses or something like that. Wrong.

A team requires roles, shared responsibilities, rules, and enforcers. Maybe it's obvious but teams also need a mission.

Your cybersecurity program is the mission. But as Brendan's discourses on the NIST CSF makes clear (e.g., here and here), there are different parts of the mission. Different parts require different specializations.

Formally put, there are six phases of the NIST CSF. We advise managers to not hire people to fill all size functions. Our talent assessment work with very effective leaders shows that even at the elite levels of cybersecurity leadership, different talents are needed for different phases.

We'll have a series on this but think of it this way to start: how many excellent cybersecurity people do you know who are good at governance and detection? And, what is it about recovery that makes it different than protecting?

Suppose that you bulked up on personnel who are good at defending -- let's face it, that's important -- and had no budget to hire someone good at identifying? You might end up with the lead picture in this post on your team: you know what you're looking at but it's not quite right.

We'll explore these sorts of questions using our talent model in future posts.

Ask us how you can find the talent you need for every stage of the cybersecurity program.

(Image credit: D2Owiki, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons)