I’ve worked with a lot of cybersecurity teams and run my own for a few years now, and I wanted to write a quick blog post about the biggest mistakes that I see happen on cybersecurity teams. This isn’t exhaustive, but these are the ones that immediately spring to mind.

1. Cops instead of partners

Do you find yourself saying “no” a lot? Do you notice complaints within your team about how clueless your users are? Do other teams take their sweet time responding to your emails? Do the developers duck into supply closets when they see you approaching in the halls (metaphorically, if you’re remote)?

If you answered yes to any of the above, your team may view themselves as cops instead of partners.

A lot of cybersecurity teams view their job as measuring vulnerabilities (whether technical or administrative) and then sending emails, memos or tickets demanding remediation. And while that’s not wrong, it misses a lot.

The real goal of a cybersecurity team is to improve security posture. If everyone hates you, and avoids you, and says what they think you want to hear to get you off their case, the security posture will suffer regardless of how diligent your scanning and reporting is.

I feel like everyone knows this one so I’m not going to talk about how to avoid “Pure coppin’”, but comment if you’d like that as a separate blogpost.

2. Giving in to gadget lust

Everyone is familiar with gadget lust — that desire to have the latest iPhone, tablet, mechanical keyboard (ouch), noise cancelling headphones (this really hurts) or piece of music gear (this is getting personal).

Cybersecurity partners can fall into the same traps with tools. And I think it’s completely understandable — threats are constantly evolving. Available countermeasures are also constantly evolving. New tools are introduced at breakneck pace and it can feel like you’re going to get left behind if you’re not at least doing a POC of the latest and greatest thing.

So while that impulse isn’t entirely wrong, it can grow to the point where you’re taking your team away from running the tools you already have. And the fanciest new tool that your team is still learning and configuring is still worth less than an old tool that they know how to use really well.

Our solution to this is we limit which tools we consider on an annual basis. Sounil Yu’s “Cyber Defense Matrix” is a great tool to use here — map all of your products to make sure you have coverage where you need it. Then every year you rate the products and the 2-3 lowest performing are candidates for replacement. Then you spend time gathering requirements, looking at best practices and examining alternate solutions and you’ll find you can keep your products up-to-date, without robbing time from running what you already have.

3. Letting people burn themselves out

This is more aimed at managers, but here’s something I’ve found to be true: the most passionate people about cybersecurity are the most likely to overwork (without you pushing them at all) and burn themselves out — all while you stand by and praise them for their initiative.

Honestly, this is true of any discipline, not just cybersecurity, but due to the stressful nature of cybersecurity I think it’s even more prevalent.

That person that worries constantly about your organization getting hacked is probably working more hours than they should. They’re probably keeping their phone handy and checking their email every time an alert comes in from the SIEM. They’re probably logging in on weekends to “check on a few things.”

You need to stop them from doing that. Here’s a few things that help:

1. Get a managed EPP, SIEM, XDR, or whatever solution that provides 24/7 monitoring so you know someone is always watching — and your team doesn’t have to do it themselves (this is way cheaper than hiring enough people to staff a SOC yourself, or replacing a sr engineer every six months because they’re burned out)
2. Create policies around on-call rotations, communication and even notifications (we have a “contact table” that says how to contact everyone in a high priority incident and email or chat is not allowed — it must be text or phone call depending on the person’s preferences. This way our team can disable email and chat notifications at night and still know they won’t miss anything urgent)
3. Keep an eye on how often people are taking vacation, and make sure your team is taking theirs.
4. Have regular 1 on 1s, and ask people how they’re doing, how their workload is, how often they’re working at night or on weekends, etc. You’d be surprised how much people are working when you don’t realize it.

But wait, there’s more

In fact, there’s so many things that can be done wrong on a cybersecurity team.

And let me offer a little disclaimer here — you may disagree with the things I highlighted above, and that’s fine. These have been my experiences, but maybe yours have been different.

So let me know if you think I missed a major mistake that cybersecurity teams make. I know there’s more (I limited myself to three so this blog post wouldn’t be 10 000 words).

Thanks for reading!