Cybersecurity Team Structure: Best Practices — decodingCyber: Cyber Made Simple

Building a Cybersecurity Team Structure: Best Practices

Every organization has a cybersecurity team. Some teams are big, some are small. Some invest a lot in protecting their companies, while others … take risks. It all depends.

Now, wait a second. You might say, “I run a small family business. We don’t even have an IT team. How could I possibly have a cybersecurity team?“

Great question!

What is a cybersecurity team?

Nowadays, almost everything associated with the internet has some layer of cybersecurity. That includes all the networks, systems, applications, and devices you’ll ever use.

Think about email. Do you have a spam filter? Do weird emails automatically go into a junk folder or come with a warning?

If so, your email provider scans your messages for potential cyber threats. In other words, your email provider is part of your security team.

For some businesses, this is the extent of their cybersecurity team. It’s cheap, easy, and relatively effective. For a small company, it can be a great way to start.

But as your business grows, you’ll need better protection. The more data enters your systems, the more attractive you are to bad actors. To stay safe, you need people putting defensive measures in place. People you know and trust. People you can talk to.

That’s why you build a cybersecurity team. But who should be on your team? How big should it be? How should it be structured? And what should it do?

Let’s dive in!

Who should be part of your cybersecurity team?

While there are many different ways to build your cybersecurity team, three types of people should be part of your team: leaders, experts, and partners.

Leaders
Who should lead your cybersecurity team? Should it be your longtime Chief Technology Officer (CTO)? Your new Chief Information Officer (CIO)? Should you bring on a Chief Information Security Officer (CISO)? Enlist a Director of Cybersecurity from IT?
Whoever you anoint as your cybersecurity leader (or leaders), you want them to be a decisive decision-maker, a skilled collaborator, and a strong communicator. Cybersecurity is a team sport. Leaders show the way, providing guidance and instilling confidence. But they can’t do everything themselves.
Experts
Cybersecurity expertise is a very distinct skill set. People often assume a skilled IT employee is a cyber expert, but that is false. Don’t get me wrong, some might be, but it can’t be assumed.
Why? Because in business, cyber expertise comes from responsibility. If IT is only in charge of building and maintaining your network, that is exactly what they will do. That is a different mission than defending your network.
Think of medical professionals. They vary in skill and ability. A neurosurgeon is highly skilled at surgery, but if you have pain in your stomach, would you see them? Probably not (err, let’s hope not).
Cybersecurity and IT might overlap, but they’re not the same. They require different skills and mindsets.
Expertise also varies within cybersecurity. A cybersecurity engineer is different from a cyber risk analyst. The engineer knows the nuts and bolts of cyber defenses, while the analyst looks at how cyber threats affect business risks.
In general, figure out the expertise you actually have, not the expertise you think you have. Once you have that understood, then you can fill in the gaps.
Partners

As you structure your team, consider developing internal and external partnerships. For instance, your cyber leader may identify various employees, like directors and functional leaders, as internal partners for training end-users.

Your leaders also might want to partner with consultants. These folks can bring crucial skills like third-party auditing, reporting, and strategic planning. If they’re not part of your core team, that’s OK. Not everyone needs a daily briefing to be effective.

How big should your cybersecurity team be?

Once you determine who should be on your team, you’re ready for headcount. But there’s no formula for this. You can’t just multiply accounts by terabytes and divide by employees. Factors like your industry, threat climate, and risk levels determine the size of your cybersecurity team.

Still, here are sound general principles to follow (keep in mind that the number of employees per business is based on the European Commission’s standards).

Microenterprise
A microenterprise consists of 1 to 9 people, so technically, it includes solopreneurs. Businesses this small usually have leadership teams that perform functional duties. So your cybersecurity team could be half your company, maybe even everyone.
That’s good — it gets everyone thinking about cybersecurity from the beginning.
But if you need to pick and choose, designate at least three people on your team.
Microenterprise Size: 1-9 people
Security Team:
- CEO
- CTO, CIO, or equivalent (reporting to the CEO)
- Skilled and trusted consultant (reporting to the CEO)
Small Enterprises
A small enterprise comprises 10 to 49 people, about five times as big as a microenterprise. It’s typically more established, with investors, prospects, customers, and revenue. It may have functional teams reporting to leadership, customers, partners, and a Board of Directors (BoD).
If you grow from a microenterprise to a small enterprise, you should tweak your cybersecurity team to include a dedicated cyber leader and multiple expert consultants. It’s also critical that from here on out, all cybersecurity experts should report to the CEO, not the CTO or CIO. Want to know why? Check out our dedicated article on it!
Small Enterprise Size: 10-49 people
Security Team:
- CEO
- CTO, CIO, or equivalent (reporting to the CEO)
- Virtual CISO or Director of Cybersecurity (reporting to the CEO)
- Expert consultants (reporting to the CEO)
Medium Enterprises
A medium-sized enterprise consists of 50 to 249 people. It’s only five times larger than a small enterprise but has vastly more employees, customers, and risk.
If you own a company of this size, you should no longer be part of your cybersecurity team. You’re too deeply involved in the business to lead cyber defense operations.
As your operations have expanded, your attack surface has grown immensely. Managing it is an increasingly important job requiring a dedicated team.
For the team to be effective, you must step back, delegate, and trust your teammates. You can still have insight into the team’s processes. But the team needs autonomy to navigate the daily cyber grind effectively. There should be a crucial shift in the team's authority at this stage: the CISO or equivalent should be in charge of the security team, again reporting to you (the CEO).
Medium Enterprise Size: 50-249 people
Security Team:
- CISO or equivalent (in charge of the team and reporting to the CEO)
- CTO, CIO, or equivalent (reporting to the CEO)
- Cybersecurity personnel (reporting to CISO)
- Expert consultants (optional but recommended; reporting to CISO)
Large Enterprises

A large enterprise consists of 250 or more people. You should have a robust, integrated cybersecurity team if you're running a big business.

Why? Because now you’re a bigger target. Cybercriminals are eying you. Sooner or later, they'll find a vulnerability. How will you respond? Will you neutralize the threat before it does significant damage?

**ProTip**

The accountability of cybersecurity resides with the board and CEO (not solely with the CISO). Having the CISO provide the CEO and board with insights and guidance during BoD meetings is prudent to ensure all parties can make informed decisions.

Cyber forces you to plan for the worst. If something goes wrong, could your business survive? Do you have the customer loyalty, legal team, and PR muscle to withstand a massive, embarrassing mishap?

To cover all these possibilities, you need cybersecurity embedded in the framework of your organization, starting at the highest level.

This is why one fundamental change here is that you want to remove the CTO/CIO from the security team. This signals to the executive suite and Board of Directors (BoD) that the CISO is in charge of cybersecurity for the organization. It also allows the CTO/CIO to focus on matters that warrant their full attention, like future product innovation (CTO) and IT infrastructure growth (CIO).

Large Enterprise Size: 250+ people

Security Team:

CISO (reporting to CEO)
A large team of cybersecurity personnel (reporting to CISO)
Expert consultants (optional but recommended, reporting to the CISO)

How much power should your cybersecurity team have?

An excellent cybersecurity team will keep your company safe — if it has the right tools and the power to use them.

How can you make that happen? Let’s talk. It’s pretty interesting.

Imagine you create a cybersecurity dream team. You outfit it with all the latest technology. You give it a seat at the table. You tell it to do “whatever it takes.”

But every time its leader reports back to you, you question their motives. You scrutinize their process even when you get the data to justify the action.

Now that leader takes their cues from you. They start questioning their team, rejecting proposals, and bemoaning the lack of creativity and expertise.

Sound like a healthy, productive environment?

A pro-tip to help you build an effective cybersecurity team — **ProTip**

Don’t ask anyone on your cybersecurity team to write a 25,000-word brief to justify a preventative measure. That takes away resources and lowers morale. Give them a budget and let them do what they are there to do: protect your business operations while other teams drive up revenue.

If there’s one thing that every cybersecurity team needs, it’s trust. There’s nothing worse than being on a team where a skeptical leader constantly undermines people.

In cyber, this happens around costs. Protecting your business from bad actors isn’t cheap. But doing it strategically can increase the return on investment and unlock business value.

Innovative companies see cyber as an opportunity. So senior leaders need to have a dialogue with team members. Transparency builds trust — and helps everyone see cyber as a win-win.

How much should your cybersecurity team educate employees?

The short answer: a lot (but not too much).

In cyber, it’s common to hear, “People are your greatest vulnerability.” Whether that’s true or not, why not turn any potential vulnerability into an asset?

Training and education are critical components of any cybersecurity team. Sure, your software solutions would automatically prevent every threat in a perfect world.

But human error will always be part of the equation. A whole sub-category of phishing exists solely to trick CEOs into disclosing sensitive company information. Unfortunately, it sometimes works.

Let’s look at phishing awareness. Help your employees learn to properly filter phishing emails. Ensure they know the basics of how to spot a phishing email, consider using a phishing simulation, and give them an easy way to report suspicious emails and unusual things on their work devices. Above all, reward the desired behavior you want them to exhibit.

Awareness training doesn’t happen overnight or without an organization taking purposeful steps. If you are a large enterprise, you can always develop an in-house solution, but there are plenty of reliable off-the-shelf options.

When looking for an off-the-shelf option, focus on two key factors:

High entertainment value. If your training program is dull, your employees will only pretend to watch it, so they get credit. If it’s funny and exciting, they’ll engage with it and take away the lessons in a meaningful, actionable way.
Simplicity. Don’t make cybersecurity education overly complicated. Your employees will tune it out.

Effective cybersecurity teams share intelligence

One last thing to remember about your cybersecurity team is that it should never operate in a silo internally or externally. Information about threat levels is precious. Unlike intellectual property or strategic insights, possessing it is not zero-sum. Sharing it gives you a competitive advantage.

When your company collects information about threats, you must holistically share your data with competitors, industry partners, and the government (particularly federal law enforcement). Develop relationships with these folks before threat levels rise so that you can be proactive.

This isn’t just about preventing criminals from entering your systems and evading detection. It’s about creating an environment of mutual protection and safety. Fear and criminality aren’t just bad for business, but for society at large.

Think of this as the “neighborhood watch effect.”

Pretend your next-door neighbor comes home to find their back window broken. If they say, “Well, the burglar only took a few items, some pricey, but all replaceable, no reason to report it to the police. Plus, I don’t want a cop car in front of my house. What will the Joneses say?!” — then the criminal may conclude that the crime was easy and make plans to strike again. What’s to stop the burglar from targeting your home next?

On the other hand, if your neighbor files a police report and tells you and other neighbors, they start to create the conditions to protect not only their house but everyone’s house. They are changing the environment to play to the neighborhood’s advantage. Even if these come at a momentary cost of worry or convenience, that outweighs the risk of letting the crime go effectively unnoticed.

Companies are rightly scared of civil or legal litigation. They may not want to face reputational damage. But the alternative is worse. Keeping detection data secret is likely to be more costly in the long run, especially considering reporting requirements being championed by General Data Protection Regulation and similar regulations.

Conclusion

Once a breach happens, a company needs a cybersecurity team to stop it immediately and minimize the chance of it occurring again. This only works if the company has the team in place before the breach, not after.

Ideally, your security team is flexible, agile, and proactive enough to neutralize threats in the first place. Nothing less than the existence of your business is at stake.