Building a multifunctional cyber security team: a blueprint for modern organisations

“Building an effective team requires balancing deep technical expertise with strategic business acumen, bridging the gap between operational needs and risk management.”

– Paul Truitt, Partner, Forvis Mazars

For organisations aiming to create a robust cyber security framework, assembling a multifunctional team to support said framework is critical. And whilst the makeup of the ideal cyber security team will differ wildly from one organisation to another, there are 3 key personnel categories that must be covered to facilitate success. But first:

Do I need a large security team if I have the right tooling in place?

With more and more sophisticated security tooling on the market, such as AI-driven detection and response technology, some organisations may be tempted to curb headcount spend. However, AI tooling is not yet an effective replacement for skilled cyber experts.

IBM has reported in their most recent Cost of a Data Breach report that more than half of breached organisations are facing high levels of security staffing shortages. This directly demonstrates the value human experts have in preventing, combating, and learning from cyber incidents.

So, whilst AI is growing more sophisticated, and agentic AI may one day be able to slow headcount growth for many organisations, it is not a replacement today (or tomorrow) for highly skilled specialists in the following areas:

Technical backbone

The foundation of any cyber security team lies in its technical experts – those who thrive in the granular details of systems, code, and incident analysis. This part of the cyber team is likely to grow in proportion to the threat surface of the organisation, as the focussed technical expertise of individual contributors will often be as important (or more important, even) than the breadth of their experience.

These specialists include: 

●     Security operations analysists: Security event monitoring performing around the clock monitoring of potential threat activity, responding to potential threats and escalating to incident responders.

●     Incident responders: Frontline defenders who identify, investigate, and neutralise active threats. They prioritise rapid containment and remediation, often working under intense pressure. 

●     Investigators: Forensic specialists who dissect breaches post-incident to uncover root causes, attack vectors, and vulnerabilities. Their work informs long-term defences. 

●     Toolset managers: Professionals who maintain and optimise security tools (SIEM, EDR, firewalls, etc.). They ensure systems are updated, integrated, and aligned with threat intelligence. 

●     Domain experts: Specialists in critical systems like SAP, cloud environments, or databases. Their niche knowledge ensures tailored defences for high-value assets.

Business liaisons: translating tech into strategy

Cyber security cannot exist in a vacuum. To align security initiatives with organisational goals, teams need business-facing members who bridge technical and executive worlds, including:

●     Project/product managers: These plate-spinners coordinate security projects across departments, ensuring timelines and budgets align with business priorities. Cyber-focused PMs are also key to executing incident response protocols and ensuring efficient collaboration between technical specialists.

●     Technical communicators: No cyber programme is complete without written content: policies, response plans, SLA inclusions, and more. Technical writers and communicators can help translate technical cyber requirements and challenges into business-literate content, and they can help imbue business content and communications with technical robustness and specificity.

●     Training coordinators: The vast majority of cyber incidents originate from employee error, such as phishing emails. A cyber training coordinator/manager owns the cyber education programme for the organisation, keeping employees up to date on the threat landscape and how they can help protect the business and themselves with proper phishing detection, data handling, and compliance. These coordinators can also work with PMs to orchestrate training and testing for the cyber team themselves.

These roles – non-technical in nature but with technical acumen – ensure security strategies resonate with stakeholders, from executives to end-users.

As the organisation grows – and the team of technical specialists along with it – this portion of the team will likely grow as well, introducing the need for more specialised project managers and possibly more management layers. The important principle for this subset of the cyber team is to balance technical understanding with strategic acumen in order to align strategy with execution.

Leadership: the CISO as strategic advocate

The Chief Information Security Officer (CISO) is pivotal in any organisation. Unlike a CIO, whose focus leans toward operational efficiency, the CISO must advocate for risk mitigation at the senior leadership level, with a voice in even the highest-level conversations. Key responsibilities include: 

●     Translating technical risks into business terms (e.g. quantifying breach costs)

●     Aligning security metrics with organisational KPIs

●     Balancing security investments against other business priorities

For smaller organisations, a Virtual CISO (vCISO) can provide part-time strategic guidance, offering expertise without the cost of a full-time hire. This is usually more effective than absorbing CISO responsibilities into other technical roles like a CIO, CTO, or even COO, as a separate person advocating for cyber concerns will almost always be more effective at protecting the organisation.

An important part of the CISO function is creating cyber security awareness on board-level and also in all layers of the organisation.

Diman Kamp Director

External partnerships: filling the gaps

Not every organisation can afford a full in-house team, especially in the start-up or scale-up stage, but cyber security remains mission critical for every business, including young ones. Third-party partnerships offer scalability until an in-house team can be assembled, as well as adaptability for larger organisations.

In addition to a vCISO, common external partnerships leveraged for cyber security include:

●     Cyber security consultants: Provide on-demand expertise and assistance for audits, penetration testing, compliance (e.g. GDPR, HIPAA), etc. 

●     Managed Security Service Providers (MSSPs): Handle monitoring, threat detection, and incident response for resource-constrained teams

●     Independent assesors and auditors: Offer unbiased assessments of security postures, identifying blind spots internal teams might overlook

Continuous education: staying ahead of threats

Cyber security is a field defined by constant evolution. Whether managed by a training coordinator or supplemented with third-party partnerships, cyber teams must prioritise ongoing learning through: 

●     Technical upskilling: Encourage certifications (CISSP, OSCP) and hands-on training in emerging areas like AI-driven attacks or cloud security

●     Penetration testing & red team exercises: Executing cyber incident protocols (with or without the cyber team’s advanced knowledge) to determine how effective they are and surface any vulnerabilities not previously identified

●     Cross-functional collaboration: Rotate team members into different roles (e.g. letting analysts shadow incident responders) to build versatility and resilience; this can include letting cyber team members work alongside non-technical teams to better understand requirements and end user experiences

Fostering adaptability is the key to cyber success

A multifunctional cyber security team thrives on diversity of skills, perspectives, and responsibilities. By combining technical depth with business acumen, organisations create a culture where security is proactive, not reactive. For smaller enterprises, leveraging third-party partnerships can help ensure resilience without overextending budgets.

Ultimately, the goal is to build a team that not only defends against today’s threats but anticipates tomorrow’s challenges through continuous learning and collaboration. In cyber security, adaptability isn’t just an advantage; it’s survival.