During your studies, did you have a major? What was it? Along the way, did you select and perhaps enjoy minor courses of study?
A recent article in Fast Company questioned why we leave the notion of majors and minors to formal education. Why not the workplace?
The examples in the article focused on bringing outside interests and passions into work. It’s a good idea, especially when building relationships. Bringing in passions, hobbies and outside interests is a great way to establish a common context – essential to effectively communicate value.
But the concept of majors and minors is bigger (and better). It’s a way for individual and team advancement.
The majors and minors within the security team
Once upon a time, security was… security. As the field continues to mature, more specialties and areas that require additional knowledge, training and experience emerge.
Is everyone on the team capable of all functions of the team? Should they be?
Teams and businesses get into trouble when they take on tasks they shouldn’t. When everyone tries to do everything, friction builds and value erodes.
Apply the concept of majors and minors to a security team to build on individual talents and skills. Each person has a ‘major,’ mapped to a key function of the security team. Break it down across prevention, detection and response – and the various elements that make sense for your team. This means each person has a specific focus and responsibility for execution and learning.
A common concern among security teams is a lack of resources. This often proves true during incidents and vacations. This is the opportunity of ‘minor’ areas of study. Welcoming individuals to explore and focus on ‘minor’ areas of study provides multiple benefits:
- establish resilience in the security team through cross-training
- build a stronger team by structuring a way for people to teach and learn from each other
- keep people engaged and foster fresh thinking with new ideas and different ways of doing things
Instead of counting on everyone to do anything and everything, this is a chance to introduce structure, discipline and focus – with flexibility and opportunity. It becomes a way to measure and demonstrate what the team can do.
The concept of majors and minors solely focused within security brings benefit to each individual and the overall team. Growing beyond security, the same concept sets the stage for a successful, high-performance team.
The majors and minors – for successful teams
“Why are they selling security work to competitors if we can do it?”
It baffled me, as a young consultant in a fledgling security practice, to learn that partners in the broader organization were selling security work… to our competitors. Since they didn’t know we existed, they opted to farm the work out so their clients were happy.
In response, the practice lead simply replied, “Great question! Figure it out and get a plan back to me in two weeks.”
At the time, my ‘major’ was security – with two clients relying on me. I quickly developed a minor in “learning how to market” on the fly. I’m not sure I’d look back at what I cobbled together as a model for how to market security, but it worked. In some sense, it marked the start of my pursuit of the science and practice of effectively communicating value. I just applied what I learned, studied and developed to the world of security.
That creates another opportunity for a ‘minor’ course of study: skills and insights complimentary to security.
Today’s security teams need to communicate, explain, market, sell… to persuade. More, they need to rely on the same skill-set to discover, learn, collaborate and advance. I’m always amazed by the depth of talent on the teams I work with – photographers, speakers, writers, poets, DJs, musicians and so forth.
Similar to the notion of the Fast Company article – what individual passions contribute to a better team?
Build a high-performance security team
Blending both concepts lays the foundation for a security team that is focused, flexible and successful. To work through the process, consider the following:
- Define security majors: Define the “majors” your team needs, distributed across prevention, detection and response. Consider the specific skills, as well as the general skills, required for some security positions.
- Define security minors: Then make a list of the minors – a blend of less relied-upon security skills, in-demand security skills and the list of skills and experiences required for your team to be truly successful.
- Define additional minors: What skills would allow your team to support the business in multiple dimensions? Think about facilitation, visualization and other skills that benefit your team and others.
Formal education is an investment. The same applies to the majors and minors of successful security teams. The structure, planning and implementation takes time. Getting it right means making an investment in the time and training necessary to bring it all together.
An ongoing effort, it’s the sort of team that people seek out. It attracts and grows talent. What skills and abilities are necessary for a security team to thrive within the organization?
About the Author: With nearly two decades shaping information security, Michael Santarcangelo (@catalyst) is known as the Security Catalyst. Leaders rely on his practice to connect people to value by taking friction out of communication. Freed-up energy focused on value enables higher levels of performance.
Author of Into the Breach, Michael trains, creates, and guides leaders, select vendors, and enterprises on effectively communicating value and demonstrating results.
Connect with Michael on Google+, Twitter & LinkedIn
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.