'Inside Security' with Andreas Haugsnes (Ex-Chief Security Architect at Unity Technologies)

Startups and security teams share a common DNA: both operate in environments where adaptability and speed are critical to survival. For startups, the ability to pivot quickly in response to market shifts can mean the difference between scaling successfully and fading into obscurity. Similarly, security teams are tasked with the daunting challenge of staying ahead of a constantly evolving landscape of threats. In both, long-term planning is often disrupted by unforeseen events, requiring an immediate and agile response.

In security, this unpredictability mirrors the volatile nature of startups. Just as a startup might need to overhaul its business model overnight due to a competitor's innovation or a market change, a security team might find its carefully laid plans upended by the discovery of a new vulnerability or an emerging cyber threat. This constant need for vigilance and the ability to adapt quickly is what makes the roles of security professionals so complex and demanding. They are, in essence, managing a series of fast-paced mini-startups, where each new day can bring fresh challenges that require both proactive and reactive strategies.

In both fields, there is no room for complacency; success is defined by the ability to anticipate and respond to the unknown.

"Security is not just about protecting against the known; it's about preparing for the unknown. In this field, complacency is the enemy, and adaptability is your greatest ally."

In this week's edition of 'Inside Security', we sit down with Andreas Haugsnes (Ex-Chief Security Architect at Unity Technologies) and delve deeper into the structuring security teams at various stages of a company life cycle.

What Security Looks Like In The Early Days

As companies evolve, so too must their approach to security. The demands on a security team in a startup are vastly different from those in a mature enterprise. Just as a company scales and diversifies, its security needs become more complex, requiring a structured and strategic approach to team development.

In the early stages of a company, security often starts as a small, agile team, typically consisting of a handful of individuals who wear multiple hats. At this stage, the focus is on building the foundational elements of a security program while remaining flexible and responsive to the company’s rapidly changing needs.

"In a startup, the security team is like a Swiss Army knife. You have a few people who need to be versatile, handling everything from incident response to compliance, often all in the same day."

The organizational structure at this stage is flat, with little to no hierarchy. Everyone on the team is deeply involved in all aspects of security, which fosters collaboration and quick decision-making. However, this model also presents challenges, particularly in ensuring that critical security tasks are not overlooked.

Growing Pains: Transitioning to a Structured Security Team

As an organization grows and begins to scale, the security team must evolve from this flat, all-hands-on-deck approach to a more structured model. This transition is critical as the security demands become more complex, requiring specialization and formalized processes.

"The transition from a flat structure to a hierarchical one is one of the most challenging phases for a security team. It's essential to start defining roles and responsibilities clearly, ensuring that each team member can focus on specific areas of expertise."

During this phase, the company begins to introduce middle management within the security team. Managers are brought in to oversee different aspects of security, such as incident response, compliance, and threat intelligence. The introduction of these roles helps to ensure that the team can handle the increasing volume and complexity of security tasks without losing the agility that was crucial during the startup phase.

This stage also involves the development of more formal processes for managing security risks. Regular reviews and audits become standard practice, ensuring that the team’s efforts are aligned with the company’s broader strategic goals.

"At this stage, it’s vital to develop a risk registry. "This tool helps ensure that identified risks are documented, prioritized, and integrated into the overall security strategy."

As teams begin to formalize their processes, the importance of context becomes crucial. Andreas further emphasizes that as these processes evolve, the role of metrics grows increasingly significant.

Metrics IS King

The role of metrics in security cannot be overstated; they are the bedrock upon which decisions are made, strategies are developed, and vulnerabilities are identified. However, metrics are more than just numbers; they represent the health and resilience of an organization’s security framework.

"Metrics are the lifeblood of our security posture. They tell us where we stand, where we're vulnerable, and where we need to focus our efforts. Without them, we're essentially flying blind. The importance of these metrics extends beyond mere measurement. They are the lens through which security teams can observe the effectiveness of their strategies, detect anomalies, and respond to incidents with precision. For example, metrics such as Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), and the percentage of systems compliant with security policies are crucial indicators. These metrics are not just retrospective; they are predictive, providing insights that allow teams to anticipate and mitigate risks before they become critical issues."

However, the collection and interpretation of metrics are only as good as the processes that underpin them. Regular reviews and audits are essential to maintaining the integrity and relevance of these metrics, especially when you're transitioning to a structured security team. The frequency and thoroughness of these reviews become increasingly important, ensuring that security practices keep pace with the organization's development.

Maturity: Building a Multi-Tiered Security Organization

As a organization reaches maturity, the security team must adapt to a new set of challenges. The complexity of the organization requires a multi-tiered security structure, with clearly defined roles across various levels of management. Specialization becomes the norm, with dedicated teams focusing on specific areas such as cloud security, data privacy, and incident response.

"In a mature organization, you need experts who can dive deep into their respective areas. This level of specialization allows for more sophisticated security measures that can address the complex threats facing large enterprises."

At this stage, the security team is likely to be divided into several specialized sub-teams, each with its own management layer.

For example, a large organization might have separate teams for application security, network security, and compliance, each led by a manager who reports to a senior security officer. This hierarchical structure ensures that each area of security is given the attention it deserves, with clear lines of communication and accountability.

However, with this specialization comes the challenge of maintaining cohesion across the entire security organization. Cross-team collaboration becomes critical to ensuring that all aspects of security are integrated into a unified strategy.

In all of this, the risk of silos is real, warns Andreas.

This has come uo many times in our interviews, including most recently in our conversation with Veer Singh.

The Role of Leadership in a Mature Security Organization

Leadership plays a pivotal role in guiding a mature security team. As the team grows in size and complexity, the need for strong leadership becomes more pronounced. Leaders must not only manage their teams effectively but also ensure alignment with the broader organizational objectives.

"In a large organization, leadership is about more than just managing people. It's about setting the vision for security, ensuring that all teams are aligned, and navigating the complexities of a large, hierarchical structure. One of the key responsibilities of security leadership is to ensure that the team remains adaptable despite its size, and has the right structure with people assigned roles that fit the overall security strategy. For example, if one team is responsible for deploying a new web application firewall, the application security team must tune the rules, while the infrastructure security team owns the actual service. Coordination between these teams is essential for the project’s success, and this is where the role of a Technical Project Manager (TPM) becomes invaluable. The TPM ensures that all teams work together efficiently, keeping the project on track and the organization secure.

Andreas also reminds us that while specialization is necessary, leaders must guard against the rigidity that can come with a heavily tiered structure. Regular reviews, open lines of communication, and a culture of continuous improvement are essential for maintaining agility within the team.

Continuous Evolution: Adapting to New Threats and Technologies

Even in a mature organization, the work of structuring a security team is never truly complete. As new threats emerge and tech stacks evolve, the team must be in continuous 'evaluate-and-adapt' mode. This requires not only staying current with the latest developments in the field but also being willing to restructure the team as needed to address new challenges.

"Security isn't a destination; it's a journey of constant adaptation. To stay ahead, we must embrace change as our only constant and evolve with every new threat and technology that comes our way. Because security is a moving target. What worked last year might not work today, so we have to be prepared to evolve constantly."

In this context, ongoing training and professional development are critical. Ensuring that team members have the skills and knowledge needed to address new threats is a priority at every stage of the company’s life cycle. Additionally, the introduction of new tools and technologies often necessitates changes in the team’s structure, requiring leaders to be flexible and forward-thinking.

Closing Remarks: The Lifecycle of a Security Team

Structuring a security team is a complex task that evolves alongside the company. From the agile, multi-functional teams of a startup to the specialized, hierarchical structures of a mature organization, each stage of a company’s life cycle presents unique challenges and opportunities.

By recognizing these stages and aligning their team structure accordingly, security teams position themselves for success. The key to successful security management is recognizing that it’s not a one-size-fits-all approach. Each stage of growth requires a different strategy, and the best security teams are those that can adapt and evolve with their organization.

This perspective underscores the importance of flexibility, foresight, and strategic planning in building a security team that can not only protect the organization today but also prepare it for the challenges of tomorrow.

To connect with Andreas, you can reach out to him via his LinkedIn.