Building a reliable security team is tough; there is no defined approach nor silver bullet.  The people we are defending against are intelligent, dedicated, and have a distinct asymmetrical advantage, with nearly unlimited time to find the one thing we miss.  This past decade has taught us that what we have been doing is not working very well.

I've been lucky to have latitude for creativity when building the security team at Rapid7.  So when Joan Goodchild asked me to join her for CSO Online's first edition of "security sessions" it felt like the perfect time to start socializing how we've approached building our team.

Rapid7, like many high-growth technology companies, has introduced a significant set of SaaS offerings over the past few years. With the introduction of these offerings, we needed to build a platform we believed our customers could trust. Given the current status-quo, we didn't feel like blindly following failed 'best-practices' was the right path, so we decided to forge our own.

Head over to CSO to get a glimpse into how we tackle building our team and program.  During this CSO Security Session, I spend several minutes discussing with Joan who we hire, how we hire, my views on certifications, higher education, technology (and its stagnation), and how we measure the progress of our security organization.

I hope our discussion stimulates some meaningful conversations for you, and I encourage you to think about the five following items:

  1. Have you done the fundamentals? Two-factor authentication, network segmentation, and patch management are all far more tactically important than nearly anything else your program could do.
  2. Do you need that security engineer with 7-10 years of experience? What about a more junior engineer that can write code, automate, and solve problems (not just identify them)? 
  3. Do you measure success with practical indicators? Don't try and fit into someone else's mold of 'metrics.' Take a look at what areas of your program you want to focus on, and use something like CMMI to measure the maturity (opposed to effectiveness) of those operations.  You can take a look at something like BSIMM to see how this can be done effectively in some security verticals. 
  4. Is a college degree, or a security certification something that should disqualify a candidate?  If you let your HR system automatically weed out people that don't have certifications or degrees, you are going to miss out on great resources.
  5. Do you understand what makes your company tick? If you can't become part of the success of your business, you will always be viewed as a problem.

The landscape we deal with is constantly changing and we need to adapt with it.  While I don't presume anything we've done is the silver bullet, the more we all push the envelope and approach our challenges creatively, the more likely we are to start shifting that asymmetrical balance into a more reasonable equilibrium.

I'd be interested to hear your thoughts on building out an effective security team. Share them in the comments or on Twitter -- I'm @TheCustos.