Companies face many hard questions when they hire a security leader. I help CEOs decide when to prioritize hiring a dedicated security leader, where to have them report within the company, what type of skillset the new leader should possess, and how success for the role should be defined. I sometimes work with a company recruiting team on the process of sourcing and hiring as well.

Bad security is a true liability for a company and good security is a brand halo. But the road from one to the other requires real technical, operational, and cultural investments. I aid companies in looking at their overall security risk profile and making smart decisions about how to quickly reduce actual risk and turn their security profile from a potential liability into a means of building trust with customers.

It’s not easy to be the leader in a company charged with putting the brakes on bad practices and implementing the right guardrails without derailing the business. I help up and coming security leaders find their voice, build their executive presence, and develop strategic approaches to making positive change in their organization.

To stand in the shoes of customers and ensure their safety, we need to understand them and the different ways they view the world. There’s no better way to get that perspective than to build a diverse security team. Modern security teams need to reject the perception that they are a group of ninjas, and instead build a team of educators and nurses – we educate people to prevent them from falling into harm in the first place, and we support them and get them to safety when they do get hurt.

Why do I call out Diversity as a foundational element of building a security team?

I have had the privileged opportunity to build a security team inside a growing technology company three times. Each was a chance to learn new lessons on how to better bring together a group of people with a shared mission of preventing harm to customers.

One thing I figured out quickly is that security work has some unique challenges: 

• We have active adversaries. Unlike every other functional part of a corporation, we compete–against people with unlimited resources, unlimited time, no ethical boundaries, and significant economic incentives to disrupt and undermine our work.

• We have finite resources. Companies exist to generate revenue and financial models reward teams that generate revenue. They struggle to figure out how much to invest in managing risks that are intangible and evolving constantly. Every security team scrapes and scrambles for every resource and to get their requests prioritized.

• We don’t have simple answers to our problems. There are as many opinions about how to prioritize security work as there are people who work in the profession.

• We have to be right every time. If we plug all but one hole in the proverbial sieve, we still lose. The attackers only have to find a single hole in our defenses one time to win.

Given all of the above obstacles to success, it is important to bring together a team of people who are not only sufficiently technical enough to build good solutions inside a complex environment, but also smart about evaluating risks, willing and able to see things from many different angles, determined to fight for what is right, empathetic enough to see things through the eyes of customers, resilient in the face of adversity and failure, and strong enough to hold together when times are tough.

I’ve reached one concrete conclusion: the best way to develop a team that carries these traits is to build a diverse team. We can’t stand in the shoes of our customers if we don’t look like them and share their experiences. We won’t be able to debate an issue fully if we don’t look at it from many different angles. We won’t truly be empathetic if we haven’t struggled ourselves. We won’t build resilience until we are tested. And we won’t build a team until we learn to hold out a hand to help up someone who is different.