#HowTo: Measure the Performance of Your Cyber Team

Written by

Every day, businesses face a growing number of cyber-threats and attacks that require new approaches to assessing and improving security. However, cybersecurity professionals are so overwhelmed with responsibilities, it’s hard to tell if security posture is being maintained, let alone improved. 

Effective team performance management is crucial if you are to drive improvements and keep hold of your top talent. It is not easy, but this article will walk you through how you can do it.

Step 1: Delve Deep into Each Role

The term cybersecurity is perhaps too broad because there are so many specialist areas and responsibilities within it; 52 in fact, according to the National Institute of Standards and Technology (NIST), an authority in cybersecurity education, training and workforce development. 

This is because there are workforce categories, such as operate and maintain or protect and defend, with specialty areas within each one, and then work roles within those. While this may seem overwhelming, the guide provides a clear description of responsibilities for each one and also further separates these by KSAs (knowledge, skills and abilities).  

As the requirements for cybersecurity can also vary wildly from business to business, it may be that you have individuals covering multiple NIST-defined roles. Therefore, as a first step in establishing a robust performance management program, we strongly recommend you read the NIST framework and determine where each member of your team sits within it.   

Step 2: Set Clear Objectives

Part of the challenge behind performance management in cybersecurity is a lack of clear objectives because it’s challenging to define what success looks like.

Armed with NIST’s clear definitions of what every role should be doing and should be expected to do, you can then look at how your team can excel in their roles and what is required at each level to enable them to progress. 

At RankedRight, we’re big believers in OKRs (objectives and key results). While there will be KPIs for the division as a whole to determine how it is performing, as well as SLAs to meet, OKRs allow you to set each team member with:

  1. Objectives, i.e., improve the speed at which vulnerabilities are addressed. 
  2. Measurable key results to show they’re getting to those targets, i.e., a 20% reduction in the average time between identification and remediation of a vulnerability.  
  3. A number of initiatives that the person will put in place to achieve the key result, i.e., source and onboard an effective vulnerability prioritization tool to replace time-consuming manual triage 

Step 3: Be Mindful of Wellbeing

While the NIST framework is incredibly comprehensive, it does not factor in how the roles within your team are affected by constraints such as company pressures, team size or technology available.

With burnout being a significant problem in cybersecurity because of the pressure people are under, make sure to set targets that stretch your team but don’t overwhelm them. Otherwise, you could be heading for a bigger problem – a skills shortage.

While RankedRight was in the early stages, we spoke with a large managed security services provider who had seen one of its clients lose four of its six-person team to stress.

If you’re new to the business, don’t just expect the team to adopt the targets you utilized at your last firm. You need to understand that business and the team’s capabilities first. 

Step 4: Involve Your Team

As industry expert Lawrence Munro put it in his Guide to Leadership in Cybersecurity, good leaders understand the value of delegation and trust their teams. He wrote: “leaders pull from the front and managers push from the back." We agree it is far more effective to empower your team to do their best than micromanage them into a role they hate.

What better way to engage and empower your team than to involve them in setting their own OKRs? After all, no one has a better understanding of the ups and downs of a job than the person doing it.  

Why not allow them to comment on their targets, particularly if they feel there are barriers or challenges in meeting them? This would support fairness and may aid in optimizing the performance management system in the future.

Beyond objective setting, you can also involve your team in 360-degree reviews of others. Just be aware of personality clashes that might sway opinions on performance. 

Step 5: Remember no Performance Management Program is Set in Stone

Cybersecurity is constantly evolving, and your performance management plan needs to change with it. This means keeping a close eye on the targets that have been set, particularly if events, such as major breaches or team absences, have occurred.

The best approach is to keep lines of communication open to ensure that you give your team the best opportunities to shine for you.

Performance tracking isn’t straightforward in cybersecurity, but our recommendations should help create motivated and hard-working teams driven to keep your company protected against attack. 

What’s hot on Infosecurity Magazine?