How to Build Your Security Team

Posted on March 5, 2019 - by Darren Gallop - in Building Your InfoSec Program

Building a security team within a company can be a time consuming and confusing process. There are many roles and branches of the Security Team.

When assembling your team it’s important to keep in mind that having people from different aspects of the business is useful. Like HR, development, management, and marketing. That is because having different opinions when developing your security controls will only make your program stronger.

It might feel all a bit overwhelming. But this team will be invaluable while updating your policies, implementing your InfoSec program, and answering vendor security questionnaires. So we’re going to break down the roles and committees that you’d find in a typical Security Team.

Security Officer

So this person will kind of be like the Tony Stark or Wonder Woman of your security team. They will be the one who leads the team into battle. They makes sure that the rest of the team is doing their part and following best practices. Typically the best person for this role would be an individual who has an interest and passion for the security of confidential data (CTO, CEO).

Privacy Officer

The Privacy Officer will take the lead on everything that comes with meeting privacy regulation requirements. For example, if you’re selling in Europe you need to be compliant with GDPR you will want somebody who dots their i’s and crosses their t’s.

In larger organizations, it’s common to form smaller committees outside of the Security Team. These smaller groups that branch out will be focused on very specific aspects of security controls.

Your Risk Committee

The Risk Committee will be focused on establishing what the company’s risks are, completing risk assessments, and managing the company’s overall risk profile.

A Third-Party Vendor Assessment Team

Before your company signs on to use a new service or software, the responsibility falls to the Third Party Vendor Assessment Team to ensure that the risks associated are made clear and communicated to senior management.

Your Audit Committees

Think of the Audit Committee as the team that is responsible for making sure the Security Team isn’t slacking. The Audit Committee will run tests to see that the Security Team is operating most effectively

Incident Response Team

The Incident Response Team is in charge of damage control in the event something bad goes down (i.e. your website crashes). They organize response plans for any possible negative scenario that could happen in the organization so when something does happen, you are prepared to deal with it internally and communicate effectively to the public.

In the end, you need a group of people who care about the organization and the security of its information. There’s no time like the present to start assembling your team of security heroes.

Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing your cybersecurity plan.

Try Securicy Free

About the author

Darren Gallop is a tech entrepreneur, information security expert, Techstars alumni, board member, and the CEO of Securicy. He co-founded Securicy and led the team to develop a SaaS product that guides businesses through creating, implementing, and managing their information security and privacy compliance program. Gallop previously co-founded Marcato and was CEO there for 10 years, until the successful event management software company was acquired by Patron Technology. He is fluent in English, French, and adept in Spanish. Gallop spends much of his non-work time traveling or engaging in the outdoors. Swimming, fly fishing, canoeing, camping, and surfing (basically in that order). He is from Nova Scotia, Canada.