The traits of high performing security teams
The Power of Small, Fast, Grit and Cross-Functional Relationships
I haven't run an operational security team for well over a decade, but as a founder of three early stage companies, I have seen a pattern of how teams in big, and in small companies get security done. I have seen teams in small companies install tools into production in minutes, and then go on to immediately find and fix issues. I have also observed teams in mega-companies take a few weeks to get company wide deployments up and running.
What is the secret? I thought I would share.
It is the size of the team, their culture of how fast they move, how much grit and determination they have to get shit done,, and the cross-functional relationships they have across the company.
Being Small - There are so many examples about why being small matters. The Bezos two pizza rule is perhaps the most famous, which says that if you need more than two pizzas to feed a meeting, then there are too many people in the meeting. What I have seen, is that when it comes to tool deployment, or to discussing the value a tool brings, if more than two pizzas of people turn up, then it means that the tool deployment is doomed to failure. There will always be one naysayer that people need to navigate (usually with silly objections), you have to consider lots of opinions. Half the room will sit in silence until it's time to throw peanuts from the gallery, a few will question the evaluation criteria from their colleagues, one will tell you this is a solved problem, and at least one will pop up with the hopeful kill signal, “this is not the right way to solve this problem”.
Small teams don’t suffer from this. By their nature, they are people that like to get shit done and know how to do it. They are doing it for a reason, and with conviction, so the other things don’t matter.
Being Fast - Taking your time means indecision. Don’t get me wrong, measuring twice and cutting once is a good mantra to have, but one of the tenets of devops and startups that you often hear is to move fast and break things. We live in a world of complexity where we can’t possibly predict all the things that ‘could’ happen, and so observability is instrumented up front, allowing you to know when things are broken.
Being fast means you take measured risk.
Grit - Some teams just have it and others don’t. The majority don’t. Some cultures just have it, and others don’t. After 20 years on the West Coast, and now living in the UK, the UK sadly rarely has it, where in Silicon Valley it’s the norm. People who find creative ways to make things happen, don’t take no for an answer, challenge silly rules, and have grit and determination built into their psyche, are in my opinion the type of people that you want in the modern tech world.
Having grit means you get shit done, despite silly rules and established but daft folklore.
Cross-Functional Relationships - If someone from the platform engineering or DevOps team doesn't turn up to important meetings, you are doomed. Doomed to deploy, and doomed to get adoption. Effective teams have relationships that they have developed based on mutual respect. They understand each other's world, and never ever burn bridges. I am witnessing tools being deployed across an entire mega-corp now, by platform engineering teams, on behalf of security in weeks. It's impressive. The team is smart and has great cross-functional relationships. Despite being in a mega-corp they are also small, fast, and have grit. Good cross-functional relationships are not optional for security.
The best teams are small, fast, have grit and good cross-functional relationships.
As always this article is cross posted on LinkedIn for comments and feedback.