Building Cybersecurity Teams

Cybersecurity today is a complex, ever-shifting challenge that requires more than just technical skill—it demands strong communication, strategic alignment, and a culture of continuous learning. Leaders face the dual task of securing rapidly evolving products while competing for scarce talent.

We sat down with Matthew Marji, Head of Security at Narvar and a security leader with experience at companies like Okta and Auth0, to discuss his approach to building resilient cybersecurity teams, embedding security into engineering culture, and ensuring security has a seat at the leadership table.

This article captures Matt’s insights, offering a roadmap for security leaders navigating the modern threat landscape.

You can read the complete transcript of the epiosde here >

What Key Qualities and Skills Should Organizations Look for in Cybersecurity Professionals?

Hiring the right mix of talent is crucial, especially as cyber threats evolve rapidly. Matthew breaks down the essential traits into non-technical and technical skills.

Non-Technical Qualities

Given the prevalence of distributed organizations and the need to effectively communicate risk across the business, communication is paramount.

• Strong Oral and Written Communication: Professionals must be able to synthesize technical concepts and break them down easily for others to consume. This includes taking a technical vulnerability (like an injection that causes data exfiltration) and explaining how to reproduce it in an easily digestible fashion.
• Tailoring Language: A key skill is tailoring the language—the level of technicality used with an engineering team will be different from that used with leadership.

Technical Qualities

For startups and initial hires, Matthew prioritizes hands-on capability over specialized, current knowledge.

• Hands-On Capability (Code Literacy): The security professional must have the ability to be side-by-side with a developer to look at code, have a back-and-forth conversation, and discuss ways things can go wrong. The ability to read and write code is critical.
• General Adaptability: Security is constantly evolving (e.g., changes in the OWASP Top 10 from 2017 to 2021). Matthew is not necessarily looking for expertise in specific, current technical skills, as the team will have to continue learning as the threat landscape changes.

What Strategies Work Best for Attracting and Retaining Cybersecurity Talent?

Matthew believes trust, collaboration, and transparency are key to both attracting and retaining talent.

Hiring Strategies (Attraction)

• Transparency in Role: Share what candidates will actually do in the role, including current areas the team is looking to improve or work on, to give candidates a great idea of what they will be working on from the beginning.
• Collaborative Challenges: Matthew prefers collaborative technical challenges that are spin-offs of real-life challenges the organization has faced.
  • Example: Reviewing code for vulnerabilities while refactoring how JWTs are manipulated. The output is a vulnerability ticket that would be passed to an engineering team.
• Assessing Multiple Skills: This collaborative approach assesses both technical and communication skills in real-time, moving beyond quiet assessment to a joint effort.

Retention Strategies (Building Trust)

• Trust and Transparency: Matthew equates transparency to trust. Establishing trust and clear lines of communication early on, even during the interview process, is key to building a strong security organization.
• Constant Collaboration: The goal is constant collaboration between security and engineers, ensuring a transfer of information both ways and fostering a trustful relationship.
• The “Give and Take”: Security should look for opportunities to provide guidance, early review, or assistance to engineering teams. By providing guidance and value, engineering teams begin to reach out early (e.g., “I should reach out to so and so for their opinion before I miss anything”).

How Should a Startup Prioritize its First Security Hire and Program?

Startups face unique constraints (budget, expectations) , and there is no one-size-fits-all approach for their first security hire.

• Prioritize Business Risk: The best way to identify the next step is to register the business security risks. Assessing risk across the business determines whether the next step should be a simple contractual third-party security team, a technical hire, or an InfoSec/CISO hire focused on compliance and privacy.
• Align with Business Needs: At Narvar, the organization started with compliance and privacy first, and then moved on to building out security engineering, which aligned with the business needs at that time.

Evolving Skill Needs

The skills and experience needed evolve as the company’s technology evolves.

• Infrastructure as Code (IaC): Three to five years ago, IaC (Helm, Terraform) was less common, but it has now exploded. Security must be aligned with the business’s technical direction, meaning security engineers need experience in Kubernetes and IaC.

How Can Organizations Bake Security into Engineering Culture from the Beginning?

It’s a reality that, for many organizations, especially startups, security may not be the first thought—cash flow, customers, and product building often take precedence. Therefore, integrating security into the culture requires a pragmatic, continuous effort based on demonstration.

• Demonstrate Relevance (“Show and Tell”): Security must establish its relevance by providing evidence of how important security is to a particular product or leader.
  • Leading by Example: Matthew has spent time reviewing a product, found a vulnerability, created an exploit for it, and then shared this hands-on demonstration to show the importance of being ahead of these issues.
  • Shock Value: Showing a hands-on exploit gives shock value that makes people remember the issue and tend to value security more.
• Lead by Example: Security professionals need patience, realizing that the culture is not built overnight. The best way to start is to lead by example, get more people interested, and empower engineers with the tools and resources to do the same.
• Vulnerability as a Learning Opportunity: Every vulnerability should be seen as an opportunity to enlighten a developer or team on what went wrong and how to improve for the future—not as a chance to point out a mistake.

Why Must Cybersecurity Have a Seat at the Leadership Table?

If security is considered a separate, second-tier function that only provides tooling and a second pair of eyes, it becomes second-tier and isn’t integrated with the company’s roadmap.

• Product Roadmap Integration: Security must be tied in to all elements of what the company is delivering to customers year over year. This ensures that from an early design stage, security has a say on how the company thinks about data management, secret management, and new infrastructure needed to support the product.
• Organizational Alignment: The key is alignment. Security needs to have its own roadmap (with OKRs) that aligns with the business roadmap to continue seeing growth in the security organization.

How Can Organizations Foster Collaboration and Continuous Learning?

Fostering Collaboration

To overcome the common friction between security and engineering (similar to that between developers and QA), security teams should focus on integrating with and extending the engineering team.

• Extension of the Team: Security engineers should aim to understand the product just as well as an engineer on the team. This allows security to not only provide recommendations but also help if needed, essentially playing an extension of the team.
• Security Champions: This approach can lead to each security engineer being seen as a security champion and a point of contact for security concerns or questions. However, a Security Champion program requires a certain level of security maturity and a strong, well-rounded security team that has empowered the engineers.

Continuous Learning and Awareness

Awareness training often fails when it’s treated as a one-time checkbox exercise.

• Avoid Non-Interactive Training: Trainings consisting of long-form videos, slides, and quizzes with unlimited retries are a “big no” and a “waste of time”.
• Prioritize Hands-On and Interactive Learning: The best ways to engage are with interactive and engaging methods.
  • Platforms: Platforms like Secure Code Warrior offer fantastic interactive experiences that make users feel like they are a hacker looking to attack or defend, putting them in a real-life scenario.
  • CTFs: Engaging with hands-on exercises like Hack the Box or other Capture The Flag (CTF) events is highly beneficial.
• Consistent Engagement: When things aren’t consistently checked in with, people forget. Security needs to be on the forefront of developers’ minds, ensuring they are invested in how to think about it.
• Leadership Investment: All interactive learning methods are investments of time and resources. This requires a conversation at the top to dedicate time away from product building or technical debt to invest in security education and awareness.

What Advice Does Matthew Marji Have for Aspiring Cybersecurity Professionals?

For those looking to build a career in the rapidly expanding cybersecurity field:

• Find Your Niche: Security is becoming very broad. Think about areas you enjoy and want to excel in:
  • Red Team (Penetration Testing): Focused on breaking things and looking for vulnerabilities.
  • Product Security: Being a generalist with a strong understanding of application code and infrastructure.
  • Information Security: Leadership focused on compliance, privacy frameworks, and the overall landscape.
• Be Technical: Build the technical ability to dig in and truly understand how something works. Technical knowledge can be translated into the right information for leaders.
• Hands-On Learning: Dive into the content and get hands-on. While certifications are important, they aren’t the be-all end-all. Work on a project, write an article, or take a course to continuously stretch your brain and prove you are learning.
• Engage with Communities: Get involved in virtual and in-person communities (like Bsides). This is a great way to connect with like minds to both learn and share knowledge, which is critical for growth.

Conclusion: The Security Leader as a Collaborator and Educator

Matthew Marji’s approach defines the modern security leader not as a gatekeeper, but as a collaborator, educator, and strategic partner.

By prioritizing code literacy, demanding strong communication, and using real-life challenges for evaluation, leaders can hire the right talent. By embedding security into the product roadmap and constantly demonstrating value to engineering teams through collaboration and interactive training, organizations can build the trust necessary to shift security from a bottleneck to a shared responsibility. The central theme remains: it depends on the organization’s stage and primary focus, but the principles of continuous engagement and alignment are universal.

More Resources from Cloudanix

• A Complete Guide to SaaS Management for an Enterprise CloudOps Team
• The Science of Setting Up Security Boundaries
• The Science of Hiring Cybersecurity Professionals
• The Data-Driven Approach to Cybersecurity Vendor Selection