GRC CyberSecurity Risk Assessment PDP

This page contains the different roles within the GRC CyberSecurity Risk Assessment path. Choose the relevant role you want to learn about. You can also enter the “Professional Path” (coming soon) to access the relevant skills and resources. 🔙

IT Security
Field Team
Application Security
GRC

Choose the roles

Associate GRC
Experienced GRC
Senior GRC
IC Path
GRC Professional Lead
Management Path
Security Team Lead
Senior Team Lead/ Security Group Lead

Choose the competencies

All
Professional skills
Independence and complexity
Ownership and impact
Collaboration and communication
Culture and maturity

Associate GRC

Professional Path

Execution (Run). Internal impact.

Professional skills

The role represents the most common professional entry-point knowledge for this career stream.

Behaviors

  • Takes active part in well-structured ongoing team tasks and processes, such as: vendor assessment for systems and services, preparations for complaince audits, preparing and conducting phishing drills, help in preparing towards security & privact weeks
  • Learns the team’s tools, resources and processes
  • Eager to learn and improve professionally
Independence and complexity

Works under direct supervision. Executes basic tasks and projects.

Behaviors

  • Works under guidelines and direct supervision of team members.
  • Focused on growth and learning the team’s processes, way of conduct and best practices.
  • Handles basic and well-established tasks and processes.
Ownership and impact

Commits to and completes tasks within the expected time frames, holding themselves accountable. Ability to succeed, plan for outcomes and execute plans in order to meet personal targets and objectives.

Behaviors

  • Completes their tasks in an excellent way and on time, in accordance witht the team’s SLAs
  • Wants to be exceptional (not aiming for “just good”)
  • Doer, action-oriented and not taking advisor role
  • Proactively asks questions and reaches out for help when stuck
  • Owns their mistakes, strives for feedback
  • Asks to be involved in projects and tasks
  • Builds estimation skills
Collaboration and communication

Works collaboratively in a team and communicates in meetings.

Behaviors

  • Effectively communicates work status to teammates and manager
  • Communicates in respectful, professional and thorough manners
  • Voices concerns or need for clarification to their teammates and manager
  • Follows up on questions and issues to build trust and relationships
  • Demonstrates ability to operate as a team: show support, add value, communicate effectively and have a positive impact on team goals and culture
Culture and maturity

Learns and relates to the department and company’s culture and proactively trying to practice it.

Behaviors

  • Eager to learn the department and company’s culture and values
  • Motivated to learn the domain challenges, needs and values
  • Translates challenge into actions
  • Sets an example and act as a role model for new hires
  • Accepts feedback graciously and learns from experience and mistakes

Experienced GRC

Professional Path

Execution & Suggestion of improvements (Run indepndantly & build). Team impact.

Professional skills

The role applies broad professional knowledge of theory and principles.

Behaviors

  • Conducts vendor assessment processes for all types of risk level vendors (Low to Critical systems, services, POCs etc.) in a thorough and professional manner, while understnding the use case and handling it in accordace with applicable depth and risk level
  • Performs E2E Phishing drills, including formalising use cases and setting target audiences, through execution, statistics and closure
  • Formalizes requirements and creats content for employees awareness, including yearly training, security & privacy weeks, routine ceramonies and attention to specific domains (R&D, Sales etc.)
  • Handles the preparations for yearly audits, such as ISO 27001 and SOC 2, including managing the relationship with auditor, collecting evidences and collaboraying with other stakeholders
  • Conducts researches for new certifications or compliance programs – examining the inputs versus the benefits
  • Responds to employees questions in a broad range of subjects: security tickets, SOC requests, phishing reports and additional questions raised from employees and external parties
  • Is able to onboard new systems ans services on theirs domain
  • Conducts E2E risk-assessment processes and projects under general guidance and requirements, including rationale, target and KPIs setting, collaboration with relevant steakholders, formalising the project’s steps, ceramonies, definition of done etc (for example, define SLA for patching vulnerbilities)
  • Good familiarity with the other security domains tools, gaps, needs and challenges (for example, past major incidents, lessons learned)
  • Holds technical (e.g IT, AppSec) and project managemant knowledge and skills
  • In charge of periodic ceramonies in the domain and department in order to reflect status, pain points and strive to solutions/processes/fixes
  • In charge of a basic risk-management model, both for mapping and updating
Independence and complexity

Works almost independently on issues of diverse scope under a general definition of the requirements. Executes advanced tasks and handles complex issues & projects.

Behaviors

  • Fully independent in managing ongoing tasks, for example: vendor assessments, phishing drills, security week routines
  • Fully independent in executing their projects A to Z under a general guidance and definition of the requirements
  • Familiar with the processes and procedures requirements defined in the domain (e.g. definition of done, SLA, retro)
Ownership and impact

Has ownership on their processes/projects and of non-critical aspects in the domain. Makes an impact with short-term and long-term complex processes and projects.

Behaviors

  • Learns from mistakes and understand what needs to be done in order not to repeat them
  • Knows where to consult, get help and raise red flags when needed
  • Identifies opportunities to improve processes that are under their responsibility and communicate it appropriatley
  • Focuses on what’s important and high prioritized; does not get distracted by issues that will not push the team forward
  • Influences decision-making through data
Collaboration and communication

Collaborates with his own team and others in order to execute cross-department tasks. Communicates some of the domain needs internally and externally.
Behaviors:

Behaviors

  • Communicates in respectful, professional and thorough manners
  • Collaborates with all stakeholders as a partner and not “as an auditor/consultant” (ask questions, consult, think on use cases, raise concerns, suggests solutions, open to ideas)
  • Guides other stakeholders from the department and in the company regarding processes and complex issues under their domain
  • Takes actionable part in onboarding of new team members as a professional function and as a buddy (e.g. creates an onboarding plan, pays attention to ongoing needs)
  • Acts as a Project Manager on their projects, with external and internal stakeholders
  • Works with the department team members and additional stakeholders (Legal, Privacy, IT etc.) to provide fixes and remediations to issues in the domain
Culture and maturity

Familiar with the department and company’s culture and is able to communicate it and act according to it.

Behaviors

  • Well established with the department and company’s culture and values
  • Familiar with the domain challenges, needs and values
  • Contributes to discussions about solutions internally & externally
  • Is able to be a buddy and mentor
  • Manages his time efficiently and responsibly while making sure that tasks and projects under his responsibility do not fall
  • Open to feedbacks and suggestions from other stakeholders

Senior GRC

Professional Path

Improvement and creation of new processes (build & improve productivity). Cross-teams impact.

Professional skills

The role demonstrates mastery in applying theories, principles, concepts and methodologies to innovative solutions.

Behaviors

  • Identifies missing processes and creats new ones where needed (e.g. on TPRM issues – interns, outsource developers) in a thorough and professional manner, in accordace with applicable depth and risk level and communication to relevant steakholders (e.g. AppSec, IT, Legal)
  • Identifies the business and domain needs, searches for optional solutions/tools and deploys them in a way that will meet those needs in accordance with predefined KPIs
  • Leads medium/large projects that are related to comapny employees and company-wide projects (such as, yearly awareness plan, ad hoc academys)
  • Acts as a GRC’s focal point for the department and company
  • In charge of an in-depth risk-management model, both for mapping and updating, including industry trends, mitigations, ceremonies etc
  • Handles themselves and their projects in a data driven way – sets metrics and SLAs, follows and monitor them in order to conduct themselves and their decisions in accrdance with data oriented insights and facts
  • Not afraid to raise tough questions, to face challenges and to questions existing processes, while suggests solutions
Independence and complexity

Works fully independently on issues of diverse scope. Acts as a focal point to all complex issues in his domain.

Behaviors

  • Fully independent in project management, both of the domain and cross-department
  • Reduces complexity, simplifies complex and difficult tasks, makes them achievable and down to earth
  • Meets the processes and procedures requirements defined in the domain (e.g.definition of done, SLA, retro)
  • Manages independantly their project A to Z
Ownership and impact

Has ownership over critical aspects in the domain. Makes a significant impact with short-term and long-term complex processes and projects.

Behaviors

  • Owns cross-department projects and understands the balance between professional requirements and business needs
  • Creats wide impact by raising creative solutions to solve complex situations
  • Strives to excel in his goals, and setts higher goals to themself
  • A professional go-to for all kinds of domain projects
Collaboration and communication

Leads the communication about cross-department tasks. Defines the domain needs and communicates them within the domain and with other internal and external stakeholders.

Behaviors

  • Communicates in respectful, professional and thorough manners
  • Collaborates with all stakeholders as as an “expert partner” and not as an “auditor/consultant” (ask questions, consult, think on use cases, raise concerns, suggests solutions, open to ideas, creative thinker, thinks outside the box)
  • Guides other stakeholders from the department and in the company regarding processes and complex issues under their domain
  • Works closely with the department team members and additional stakeholders (Legal, Privacy, IT etc.) to provide fixes and remediations to issues in the domain
Culture and maturity

Well established with the company culture and values and able to identify and realign misalignments.

Behaviors

  • Protective of department and company’s culture and values
  • Identifies problems in the domain, and proactively offers and promotes solutions to improve company practices and processes
  • Manages his time efectively and responsibly
  • Open to feedbacks and suggestions from other stakeholders
  • Takes actionable part in onboarding of new team members as a professional function and as a buddy (e.g. creates an onboarding plan, pays attention to ongoing needs)
  • Sets an example for other team members ans as a role model for others

GRC Professional Lead

Professional Path

Creation of new processes (Build & improve efficiency). Cross-groups impact.

Professional skills

An integral part in defining the team’s strategic vision, goals and prioritization.

Behaviors

  • Detects technical and professional opportunities and gaps in the group level, and leads handling them
  • Holds deep technical and professional specialization at an industry level
  • Provides technical and professional guidance in specific areas to the team and group members
  • Ramps up on new technology fast and independently
  • Able to independently perform deep massive changes with speed while maintaining high quality
  • Handles themselves and their projects in a data driven way – sets metrics and SLAs, follows and monitor them in order to conduct themselves and their decisions in accrdance with data oriented insights and facts
  • Innovation and creativity is a lead principle in their work
  • Not afraid to raise tough questions, to face challenges and to questions existing processes, while implements suggested solutions
Independence and complexity

The most professional function in the team, handles the most complex challenges and issues in the domain.

Behaviors

  • Independently carries out projects and acts as a focal point to all complex team issues
  • Has ownership over critical aspects in the domain
  • Fully independent in project management, solving complex issues, escalation when needed
  • Leads a technical or professional design of large and complex efforts
  • Breaks down into concerns and areas of volatility, provides high-level solutions, and hands it off to the team
  • Tackles the most complex challenges in the building of a project or operational issues
  • Reduces complexity, makes complex and difficult tasks achievable and down to earth
Ownership and impact

Owns and lead the most critical aspects in the domain. Has a strategic point of vie of the domain, and impacts the domain roadmap and planning.

Behaviors

  • Owns cross-department projects and understands the balance between professional requirements and business needs
  • Creats wide impact by raising creative solutions to solve complex situations
  • Strives to excel in his goals, and setts higher goals to themself
  • A professional go-to for all kinds of domain projects
Collaboration and communication

Lead the communication about cross-department tasks.

Behaviors

  • Defines the domain needs and communicate them within the domain and with others internal and external stakeholders
  • Collaborate with all stakeholders as a partner and not “as a critic” (ask questions, consult, think on use cases, identify the needs from working with Infra, IT and other departments)
  • Work closely with other departmets’ teams to identify the needs, provide solutions and remediation to departments issues
Culture and maturity

Well established with the company culture and values and able to identify and realign misalignments.

Behaviors

  • Protective of department and company’s culture and values
  • Identifies problems in the domain, and proactively offers and promotes solutions to improve company practices and processes
  • Able to mentor
  • ‘Can-do’ approach
  • Recognizes and puts emphasis on actions that drive our culture
  • Sets an example for other team members ans as a role model for others

Security Team Lead

Professional Path
Professional skills

Holistic team management and leadership of an entire domain in a group.

Behaviors

  • Transforming company vision into security goals:

    • Develops a clear, inspiring vision for the security program that aligns with the organization’s business objectives and communicates that vision effectively to stakeholders, including the security team, IT department, and senior executives.
    • Translates the security vision into actionable security goals and objectives for the security team to work towards.
    • Collaborates with group leadership to ensure security goals are aligned with the group’s objectives.
  • Technical expertise:
    • Possesses deep technical expertise in security domains and is familiar with security technologies, processes, and practices.
    • Provides guidance and mentoring to security managers and team members on technical aspects of security, such as secure software development, network security, or incident response.
    • Maintains awareness of emerging security trends and threats and evaluates their potential impact on the organization.

  • Architecture and design:

    • Possesses knowledge of security architecture and design principles and can review and provide guidance on security architecture and design decisions.
    • Collaborates with architects and developers to ensure that security is integrated into the software development life cycle and that secure coding practices are followed.
    • Maintains awareness of emerging security technologies and evaluates their potential impact on the organization.
  • Leadership and mentorship:
    • Provides leadership and mentorship to security managers and team members, encouraging them to take calculated risks and innovate.
    • Creates a culture of continuous learning and development within the security team, providing opportunities for professional development and career growth.
    • Regularly recognizes and rewards team members for their contributions to the security program.

  • Risk management:

    • Conducts regular risk assessments and uses the results to develop risk management strategies, such as by implementing additional security controls or investing in employee training.
    • Develops incident response plans and conducts regular security exercises to test and improve those plans.
    • Regularly communicates security risks and threats to stakeholders across the organization, such as by presenting at board meetings or sending regular security updates to senior executives.

  • Strategic planning:

    • Develops a multi-year security strategy that aligns with the organization’s business objectives and takes into account emerging security risks and trends.
    • Prioritizes security initiatives based on risk and business needs, such as by investing in areas with the highest potential impact.
    • Conducts regular assessments of the effectiveness of security initiatives and adjusts plans as needed.

  • Continuous improvement:

    • Conducts regular security audits and vulnerability assessments to identify potential weaknesses and areas for improvement.
    • Seeks feedback from stakeholders across the organization, such as by conducting surveys or holding focus groups.
    • Uses the results of audits, assessments, and feedback to improve the security program, such as by implementing new security controls or processes.

Examples

  • Use your technical skills to mentor and guide your team members.
  • Apply your technical expertise in a way that motivates and inspires your team: Inspire your team members by sharing your technical knowledge and experience with them. By sharing your insights and providing guidance on technical issues, you can help your team members develop their skills and become more effective security professionals.
    Example: Mentor a junior security analyst by sharing your expertise in threat hunting.
  • Empower your team members by encouraging them to take ownership of technical issues and guiding them through the resolution process. By providing guidance and support, you can help your team members develop their problem-solving skills and become more confident in their abilities.
  • Provide opportunities for your team members to develop their technical skills. By offering training programs, encouraging certifications, and providing access to technical resources, you can help your team members become more effective security professionals and advance in their careers.
    Example: You can encourage your team members to pursue a certification in cloud security by offering to pay for the exam and providing study materials. By doing so, you can help them develop their skills and demonstrate your commitment to their professional growth.
Independence and complexity

Holds the entire team complexity from end to end. Can provide solutions and guidance on all aspects within the domain. Typically leads an entire domain within a group, typically up to 6 engineers.

Behaviors

  • Controls the domain’s material with details, has the right knowledge and ability to drive delivery of high-quality results of their team
  • Understands all aspects in the domain and manages to set a standard in every aspect – tech, business, product, craftsmanship
  • Manages to fill any gaps in the team level (including other functions, like Product, Design, or Analyst) to keep the domain effectively working
  • Go-to person in every aspect and is able to provide guidance and insights in every area under the domain

Examples

  • Guides the full forms implementation, manages to provide insights about the technical design and ways to ensure quality
  • Can explain the motivations behind the design of notifications aggregation
  • Conducts a sync meeting
  • Can plan a quarter roadmap, accounting for dependencies and pitfalls, analyze risks and complexities and build a setup for the execution
Ownership and impact

Drives the impact driven approach in the team, makes every iteration count and that everyone works on the most impactful tasks. Manages to inspire their team through planning, context building and setting aspirational goals.

Behaviors

  • Creates an execution plan and consistently leads the delivery of impactful content with your team
  • Responds to changes in an effective and frictionless way and manages to push boundaries in creative ways, even in pressured times
  • Actively builds context that allows everyone on the team to make decisions in a way that maximizes impact
  • Celebrates impact, gives recognition to actions that matter based on their impact on the “real world”
  • Creates an inspiring and impact-focused plan with the right level of guidance, and in a way that creates a setup for people to excel

Examples

  • Defines a clear focus and mission for the team in collaboration with the team members
  • Encourages a proactive approach to security to reduce the number of incidents and vulnerabilities
  • Promotes impact through focus by defining ambitious goals and delegating tasks to the right people
  • Fosters a shared context and understanding among the team through regular training sessions and open communication
  • Drives delivery goals as a team by establishing a routine and monitoring progress towards objectives
  • Amplifies the team’s impact through mentorship, directing, and training
  • Breaks down silos between teams to ensure no duplication of efforts and owns cross-concerns collaboratively
  • Translates high-level concepts into actionable targets to ensure everyone understands what they’re working towards
  • Fosters a culture of collaboration and knowledge sharing to create a positive work environment where everyone feels valued and motivated to work towards the team’s objectives
Collaboration and communication

Team communication engine. Leads discussions by sharing clear and concise intents.

Behaviors

  • Creates a safe place to talk – any idea or comment can be heard
  • Communicating clearly the intent behind their actions
  • Listens more than talk
  • Leads conversations by asking questions and creates discussions between all team members
  • Establishes trust & honesty in personal communication channels
  • Keeps all team members aligned with others work by creating sharing environment

Examples

  • Sets KPIs and goals that allow the domain to keep improving its health
Culture and maturity

Accountable for creating and driving culture manifestation within a team.

Behaviors

  • Drives strong enthusiasm and a ‘can do’ attitude to achieving results for employees – creating a winner state of mind
  • Promotes monday’s culture in their day to day actions and decisions, sets an example in their actions that promotes our core values and principles
  • Recognize and put emphasis on actions that drive our culture
  • A builder first, sets standards by example
  • Creates an halo effect in the team – perceived as an excellent, winner and encourage other to be up to their level
  • Respects differences and similarities; taking the time to understand the viewpoints of others
  • Brings tensions to the surface, helps to resolve conflicts and produces a positive outcome
  • Involves impact driven consideration in the team level

Examples

  • Takes full ownership over consistent execution of the teams’ processes and work methods
  • Makes the necessary adjustments to keep the team productive and well-suited for the team
  • Creates meaningful and open discussions with insights that are being taken into the day-to-day and are not repeating over time (the team is open and improves)
  • Dailies, tech talks, quality management, and production incidents reports are implemented and provide a lot of value
  • Chooses the right onboarding tasks that maximize the setup for success for new employees, and bring them quickly up to speed with the technological stack happy path
  • Independently translates Q plan into inspirational well-understood plans

Senior Team Lead/ Security Group Lead

Professional Path
Professional skills

Creates a deep level of maturity both in their direct and non-direct reports. Affects other roles and disciplines inside and outside their domain.

Behaviors

  • Transforming company vision into security goals:

    • Develops a clear, inspiring vision for the security program that aligns with the organization’s business objectives and communicates that vision effectively to stakeholders, including the security team, IT department, and senior executives.
    • Translates the security vision into actionable security goals and objectives for the security team to work towards.
    • Collaborates with group leadership to ensure security goals are aligned with the group’s objectives.
  • Technical expertise:
    • Possesses deep technical expertise in security domains and is familiar with security technologies, processes, and practices.
    • Provides guidance and mentoring to security managers and team members on technical aspects of security, such as secure software development, network security, or incident response.
    • Maintains awareness of emerging security trends and threats and evaluates their potential impact on the organization.

  • Architecture and design:

    • Possesses knowledge of security architecture and design principles and can review and provide guidance on security architecture and design decisions.
    • Collaborates with architects and developers to ensure that security is integrated into the software development life cycle and that secure coding practices are followed.
    • Maintains awareness of emerging security technologies and evaluates their potential impact on the organization.
  • Leadership and mentorship:
    • Provides leadership and mentorship to security managers and team members, encouraging them to take calculated risks and innovate.
    • Creates a culture of continuous learning and development within the security team, providing opportunities for professional development and career growth.
    • Regularly recognizes and rewards team members for their contributions to the security program.

  • Risk management:

    • Conducts regular risk assessments and uses the results to develop risk management strategies, such as by implementing additional security controls or investing in employee training.
    • Develops incident response plans and conducts regular security exercises to test and improve those plans.
    • Regularly communicates security risks and threats to stakeholders across the organization, such as by presenting at board meetings or sending regular security updates to senior executives.

  • Strategic planning:

    • Develops a multi-year security strategy that aligns with the organization’s business objectives and takes into account emerging security risks and trends.
    • Prioritizes security initiatives based on risk and business needs, such as by investing in areas with the highest potential impact.
    • Conducts regular assessments of the effectiveness of security initiatives and adjusts plans as needed.

  • Continuous improvement:

    • Conducts regular security audits and vulnerability assessments to identify potential weaknesses and areas for improvement.
    • Seeks feedback from stakeholders across the organization, such as by conducting surveys or holding focus groups.
    • Uses the results of audits, assessments, and feedback to improve the security program, such as by implementing new security controls or processes.

Examples

  • Use your technical skills to mentor and guide your team members.
  • Apply your technical expertise in a way that motivates and inspires your team: Inspire your team members by sharing your technical knowledge and experience with them. By sharing your insights and providing guidance on technical issues, you can help your team members develop their skills and become more effective security professionals.
    Example: Mentor a junior security analyst by sharing your expertise in threat hunting.
  • Empower your team members by encouraging them to take ownership of technical issues and guiding them through the resolution process. By providing guidance and support, you can help your team members develop their problem-solving skills and become more confident in their abilities.
  • Provide opportunities for your team members to develop their technical skills. By offering training programs, encouraging certifications, and providing access to technical resources, you can help your team members become more effective security professionals and advance in their careers.
    Example: You can encourage your team members to pursue a certification in cloud security by offering to pay for the exam and providing study materials. By doing so, you can help them develop their skills and demonstrate your commitment to their professional growth.
Independence and complexity

Leading complex IT projects, across teams and sites.

Behaviors

  • Leads security projects from start to finish
  • Identifies emerging threats and vulnerabilities, and develops proactive strategies to mitigate them
  • Manages security incidents effectively, minimizing the impact of the incident and restoring normal operations as quickly as possible
  • Keeps up-to-date with the latest developments in security technology and best practices, and applies that knowledge to improve the organization’s security posture
  • Communicates effectively with stakeholders at all levels of the organization, from executives to front-line employees, and provide clear and concise explanations of security risks and controls

Examples

  • Leads a project to implement a new security tool, managing the project from the initial planning stages through to the deployment and post-deployment phases
  • Identifies a new type of phishing attack targeting the organization, and develops a training program for employees to increase their awareness of the threat and teaches them how to respond appropriately
  • Leads the response to a major security incident, coordinating the efforts of the incident response team, communicating with stakeholders, and implementing measures to contain and mitigate the incident
  • Attends security conferences and seminars, reads industry publications and blogs, and network with other security professionals to stay informed about the latest security trends and emerging threats
  • Develops a series of security awareness training sessions for employees, using clear and engaging language to explain the risks of common security threats such as phishing, social engineering, and malware, and teaches employees how to protect themselves and the organization
Ownership and impact

Creates an impact-first culture via leadership, inspiration and mentorship within and without the group. Leads the group to deliver meaningful impact, consistently.

Behaviors

  • Define team focus together: As a team lead, it’s important to work with your team to define and refine the team’s focus. By involving your team members in this process, everyone feels invested in the team’s goals, and you can ensure that everyone understands the importance of their role.
  • Promote impact through focus as a team: Encourage your team to come up with a clear vision and mission that aligns with the team’s objectives. This way, everyone can focus on the “winning picture,” and each team member can make informed decisions that positively impact the team’s day-to-day work.
  • Build a shared context and understanding: Foster an environment where everyone feels comfortable asking questions and sharing their perspective. This will help ensure that your team members understand the broader context of their work, enabling them to take impact-driven decisions that align with the team’s objectives.
  • Drive the most impactful direction together: Collaborate with your team to ensure that the team is heading in the most impactful direction to ensure success. By delegating tasks to the right people and working together, everyone feels invested in the team’s success.
  • Own cross-concerns collaboratively: Encourage open communication and collaboration between teams to ensure that there are no silos between teams, and everyone has the right information to make decisions.
  • Bring clarity as a team: Work together to set clear and ambitious goals, so everyone understands what they’re working towards. Encourage the team to share their ideas on how to translate high-level concepts into actionable targets.
  • Establish a routine and drive delivery goals as a team: By collaborating with the team to create a routine and drive the team’s delivery goals, you can ensure that everyone is working towards the same objectives.
  • Amplify impact through others collaboratively: Encourage a culture of mentorship and training, where everyone feels comfortable asking for help and sharing their knowledge with others. This will help amplify the impact of the team’s efforts through others.
  • Share knowledge and be effective together: Share your knowledge and expertise with the team, and encourage them to share their knowledge with you. This way, everyone can learn from each other and be effective in achieving their objectives.
  • Drive impact through team building collaboratively: By fostering a positive work environment, where everyone feels valued and appreciated, you can strengthen the team’s cohesion. Plan team-building activities together to strengthen the team’s bond and promote a positive work culture.

Examples

  • Visionary leadership:
    • Develops a clear, inspiring vision for the security program and communicates that vision effectively to stakeholders, including the security team, IT department, and senior executives.
    • Encourages team members to take calculated risks and innovate, such as by implementing new security technologies or processes.
    • Regularly recognizes and rewards team members for their contributions to the security program.
  • Strategic planning:
    • Develops a multi-year security strategy that aligns with the organization’s business objectives and takes into account emerging security risks and trends.
    • Prioritizes security initiatives based on risk and business needs, such as by investing in areas with the highest potential impact.
    • Conducts regular assessments of the effectiveness of security initiatives and adjusts plans as needed.
  • Risk management:
    • Conducts regular risk assessments and uses the results to develop risk management strategies, such as by implementing additional security controls or investing in employee training.
    • Develops incident response plans and conducts regular security exercises to test and improve those plans.
    • Regularly communicates security risks and threats to stakeholders across the organization, such as by presenting at board meetings or sending regular security updates to senior executives.
  • Business acumen:
    • Develops a deep understanding of the organization’s business operations and goals, such as by attending regular business meetings or shadowing business unit leaders.
    • Provides security guidance to business units, such as by recommending security controls or policies that align with their specific needs.
    • Develops business cases for new security initiatives or investments, such as by conducting cost-benefit analyses or outlining potential ROI.
  • Budget management:
    • Develops and manages a security budget that aligns with the organization’s business objectives and priorities.
    • Prioritizes spending based on risk and business needs, such as by investing in areas with the highest potential impact or cost savings.
    • Regularly reports on budget status and variances to senior executives and stakeholders.
  • Talent management:
    • Attracts, develops, and retains talented security professionals by providing opportunities for professional development and career growth, such as by offering training programs or career paths.
    • Encourages a culture of learning and innovation within the security team, such as by providing time and resources for team members to pursue new certifications or attend security conferences.
    • Regularly recognizes and rewards team members for their contributions to the security program.
  • Change management:
    • Develops and communicates change management plans that address potential risks and challenges, such as by providing training or communication plans.
    • Regularly communicates changes to stakeholders across the organization and ensures buy-in and support, such as by holding town hall meetings or one-on-one meetings with key stakeholders.
    • Regularly assesses the impact of changes and adjusts plans as needed.
  • Continuous improvement:
    • Conducts regular security audits and vulnerability assessments to identify potential weaknesses and areas for improvement.
    • Seeks feedback from stakeholders across the organization, such as by conducting surveys or holding focus groups.
    • Uses the results of audits, assessments, and feedback to improve the security program, such as by implementing new security controls or processes.
Collaboration and communication

Effective collaboration, communication, and leadership without authority are critical skills for senior security managers.

Behaviors

Collaboration and cross-group collaboration are critical skills for senior security managers. Here are some examples of how these skills can be applied to address security risks and drive success in the organization:

  • Foster collaboration between different security teams within the organization.
    Example: Encourage the network security team and the application security team to work together to identify and address security risks that exist at the intersection of network and application security.

  • Collaborate with other organizations in your industry to identify and address common security risks.
    Example: Collaborate with a group of peers from other organizations in your industry to share insights and best practices for addressing security risks.

  • Work with the legal team to ensure that security measures are compliant with relevant laws and regulations.
    Example: Work with the legal team to ensure that your organization’s data protection measures are compliant with the General Data Protection Regulation (GDPR) in the European Union.

Examples

  • Collaborate with IT teams to ensure that security is integrated into IT operations.
    Example: Work with the IT team to ensure that firewalls are configured correctly to protect against external threats.
  • Collaborate with R&D teams to ensure that security is integrated into the development process.
    Example: Work with the R&D team to ensure that security testing is integrated into the software development lifecycle.
  • Collaborate with other business units within your organization to identify and address security risks.
    Example: Work with the HR team to ensure that employee access to sensitive data is appropriately restricted.
Culture and maturity

Controls the details. Don’t just manage their team from the “high level” but get their hands dirty. Brings a contagious “can-do” approach to the day to day and drives a winner state of mind.

Behaviors

  • Creates a unique organizational culture. Trigger and drive changes in who we are and how we work in order to keep the monday culture intact as we grow
  • Takes monday values into practice in the group’s day-to-day. Transparent and inclusive in the way he operates, creates a strong sense of ‘We’ rather than ‘I’
  • Puts our users in the center – consider employees’ experience and have a product mindset
  • Creates tools and setups that empower others to take decisions independently, while getting feedback from the real world
  • Recognizes points that require interference and manages to get to the root cause and drive a resolution
  • Proactively builds context and takes actions in order to be up to date with what other groups are working on
  • Sees all the R&D challenges as their own, acts upon what’s broken
  • Drives actions that create a clear mission statement and manage to translate it to KPIs and goals in an engaging way. One that drives from a deep understanding of the “why” everyone in the team

Examples

  • Shares the full picture about things that don’t work on day-to-day failures in a way that allows others to take part in solving them.
  • Holds a group meeting every two weeks and explain the full context in a transparent manner, to make sure everyone is included and understands the “why”
  • Communicates the context for parting ways with an under-performing team member
  • Creates a roadmap and motivation presentation to onboard the team for the Q plan