Perhaps your company is at the point in its growth curve where you need a person dedicated to security issues, or perhaps you’re looking to reboot your security team because of some of the problems outlined below.
What follows are over-generalizations about the best way to build a functional information security team, but that are in line with what I have seen succeed (and fail) in small and large engineering organizations. Note that this is really focused on information security for ‘production’ systems (those that end-users interact with in an online business), not necessarily internal IT security or physical security, though some principles still apply.
The Ideal Team Seed
Your first dedicated security person should be one of your best developers. They don’t need to be an existing employee, but their engineering skills should be top-notch. Production security breaches are typically related poor design decisions or bugs or structural flaws in code. The person you put in charge of security should know this in their bones, and be able to deep dive into most codebases and distributed system architectures quickly.
This person should be charismatic and be motivated by helping other developers rather than punishing them. Right or wrong, ‘security people’ have built a generally negative reputation through time as being mean or grumpy. A good person for this role really wants to mentor other developers who may not be aware of the nuances of good security design. They should be an excellent teacher, and a role model for how positive and effective communication in an organization is carried out. They do not seek to shame other developers into good security. Instead, they work hard to lift the skill and mood of their colleagues. They light up a room.
An effective security person understands that ‘better’ is better than ‘perfect’. They understand that ‘perfect’ is an unattainable goal, and will never go to the mat arguing to delay a product release for perfection. They balance security with usability, understanding that a secure but unusable system will be bypassed because people just need to get their work done.
This person educates management and developers in the company of the risks the company faces, but tempers security decisions with the tradeoffs to the success or velocity of the business. An effective security leader has a deep respect and understanding for the business side of the business and knows when to ease up in lobbying for better security.
Growing the Team
As the team lead, the seed person described above should have a great filter for choosing additional team members. Perhaps you need more mentors around the organization. Or depending on the nature of your business or need, you need some dedicated security engineers to do some low-level work on infrastructure libraries, and who are not necessarily going to mentor others. Another possibility is that you need to grow the team to interface with other parts of the business like the legal or customer care teams. Still another role would be a project manager handling compliance efforts like PCI or SOX. Each person you hire is critical, particularly in a small company. But even in a large org, the reputation of your security team is paramount. Compromising on personality traits will invariably tarnish your security team’s reputation, and thus, effectiveness in your organization.
Use this as your acid test: Do you and others in your organization look forward to interacting with your security team? If the answer is ‘no’, then maybe it’s time for a reboot. If the answer is ‘yes’, then you’re on a great path to building a great team and product.