My friend Wade recently posted his thoughts on how to go about building a security team. For the most part, I found his comments to be spot-on, with one major, glaring exception. At the end of his post, he starts talking about getting into planning and measurements once you have your team in place, overlooking one major area: risk management.
Now, in his defense, Wade's objective was sharing his thoughts on how to build a good security team, starting with a good security manager who actually understands things. You cannot simply put a well-connected talking head in place and expect them to be successful managing security without the necessary technical know-how to grok what is going on. That being said, choosing who to hire and when to hire them, as well as making decisions about what technologies to leverage within your security team, must be based on sound risk management principles.
When I'm talking about "risk management" here, I'm really talking from a high level, and I'm including risk assessment and measurement as part of the equation. Plain and simple, if you're charged with building a security team and managing security objectives, one of your top challenges will be prioritization of work and resources. With security, it's very easy to let oneself slip into semi-anarchic ways where you are quickly overwhelmed that all that needs to be done. In order to keep the tigers at bay you need to make use of sound decision-making practices that prioritize your workload on a few criteria.