10 Years Leading Security Teams: Performance Is 90% Human, 10% Tech (Part 2)

This is Part 2 of a series on building high-performance security teams. If you haven't read [Part 1], start there—it'll make a lot more sense.

I was gaslighting the entire team for six months.

I preached psychological safety. Gave talks about speaking up. Celebrated people who admitted mistakes. Taught everyone to challenge ideas. Made sure the team felt valued for their work.

But everything else I did told them I was full of shit.

I'd cancel 1-on-1s three weeks in a row because "something urgent came up."

I let new hires struggle through their first month because updating the onboarding process was "low priority."

I kept career paths vague because I thought "figuring it out" was part of their development.

My team noticed.

Of course they did.

That's the thing about mixed messages.

Your team doesn't split the difference. They don't think, "Well, he means well even if the systems are broken."

They just stop believing you.

If you preach psychological safety but your onboarding is chaos, new hires learn survival matters more than speaking up.

If you celebrate vulnerability but skip 1-on-1s, people learn that trust is one-sided.

If you want people to challenge ideas but every process decision happens in a room they're not in, they learn their input doesn't actually matter.

The teams I've seen maintain high performance all have something in common.

It's not charismatic leaders. It's not bigger budgets or smarter hiring. It's not even having the perfect strategy or less technical debt.

It's that their operational systems actually back up what their leaders say matters.

This is Part 2 of building high-performance security teams.

If Part 1 was the culture you want, this is making sure every system you build says the same thing.

Four systems that make culture stick:

• One clear goal that kills decision paralysis

• Competency matrices that show your people they have a future

• Structured Onboarding that sets the bar from day one

• Unmoveable 1-on-1s that develop leaders

Fair warning: This isn't exciting work.

No quick wins here. No viral LinkedIn posts about your “leadership philosophy”. Just the tedious process of documenting expectations, standardising approaches, and saying the same thing over and over until it sticks.

But if you want to maintain the culture you’ve been working to build?

You need systems that prove you mean it.

Principle 5: One Clear Priority

Choose one priority • align every decision • move as one

Pick one goal. Make it the top priority. Overcommunicate it to the point of annoyance.

That's it.

That's the whole strategy.

Watch what happens to your team:

• They stop debating priorities (the goal decides)

• They stop feeling overwhelmed (one target, not twenty)

• They stop working in silos (everyone knows the destination)

• They stop wondering if their work matters (every task has a clear ‘why’)

When people can draw a straight line from mundane tasks to a meaningful outcome, everything changes.

Work has meaning. Decisions become obvious. Energy comes from purpose.

Why this matters: Every team member makes dozens of micro-decisions daily. Which ticket to tackle first? Which meeting to skip? Which tool to implement? Without a single destination, you're burning energy in twenty directions. With it, you're building momentum in one.

The Playbook:

For Leaders: Be the Broken Record

• Align Up, Then Pick Your Battle: Get clear on the CISO's top security priority for the organisation. Then choose one goal for your team that directly advances it. Kill the rest.

• Put the Goal on Repeat: Communicate the priority clearly. Communicate it repeatedly. Make it inescapable.

• Anchor Every Discussion With One Question: “How does this help us achieve [goal]?” Be predictable. When people start asking it before you do, the system is working.

• Show The Scoreboard: Create a simple dashboard and keep it updated. Momentum builds when teams can see themselves winning.

For ICs: Connect Your Work to the Goal

• Make It Personal: Translate the goal into your day-to-day. Use it as your filter for prioritisation—every ticket, every meeting, every ‘quick favour’. If something doesn't align, question it.

• Create Believers: See someone just going through the motions? Give them context: "Here's our one goal. Here's why it matters. Here's how our work drives it." Help them buy-in.

• Give the Goal Your Best Hours: The goal gets your flow-state. Operations gets your low-energy hours. Random requests can wait until you've moved the goal forward today.

• Flag Mission Drift: Notice the team starting to work on shiny new things? Speak up: "Are we sure this aligns with [goal]?

Principle 6: Transparent Career Paths

Define progression • make it public •  remove the guesswork

60% of tech teams don't have a written competency matrix.

This you?

Start one this week. Schedule the time with your team to map it out. Every level. Every skill. Every expectation.

Yes, it's painful. Yes, your senior engineers will argue about what 'senior' means. Yes, you'll spend weeks debating whether Python is required for architects.

Do it anyway.

I've watched too many brilliant security analysts flame out because nobody could tell them what 'senior' meant.

Too many engineers job-hop because they can't see a future.

Too many careers stall because promotion criteria lived in some manager's head instead of a public document.

You'll spend the time either way—upfront building clarity, or forever having the same soul-crushing conversation:

“You're not quite ready for senior, but I can't tell you exactly why or what to work on.”

Why this matters: “I don't know how to get promoted” is the silent killer of security teams. Without clear progression paths, your best people either waste years grinding the wrong skills or feel lost after mystery rejections. Every member of your team deserves to know exactly how to level up. Not through politics. Not through guessing. Through published, transparent criteria.

The Playbook:

For Leaders: Create Career Clarity

• Build the Framework: For each level, document core responsibilities, technical scope, essential soft skills, and clear promotion criteria. Involve your seniors. They'll debate every line, but that's how you get buy-in.

  
  

  Need structure? CircleCI spent 8 months building theirs and documented the process. Steal their framework.

• Publish It Everywhere: Wiki, pinned messages, team handbook—everywhere. New hire's first day? Here's the matrix. Performance review coming up? Reference the matrix. Someone asking about career growth? Point to the matrix. Transparency kills politics.

• Live By It: Pull job descriptions straight from the matrix. Run reviews against it: "You're at level X, here's what Y requires." Build development plans from it: "Focus on these three gaps for senior." Let it make promotion decisions, not vibes or feelings.

For ICs: Own Your Progression

• Help Build What's Missing: No competency matrix? Offer to draft one. Define what your level does now, what the next level requires, the specific gaps between them. Someone has to start. Might as well be you.

• Read the Room: Look at who got promoted in the last year. What were they doing differently? Which projects did they lead? What skills did they demonstrate? If there's no formal matrix, reverse-engineer one from actual promotions.

• Make the Matrix Work for You: Matrix exists? Use it. "Senior level requires leading initiatives. I'm ready, which project can I own?” Turn vague promises into specific opportunities.

Principle 7: Structured Onboarding

Plan their first steps •  clear the path forward •  prove they chose right

Six weeks job searching. Three rounds of interviews. Competing offers rejected. All that anticipation building toward day one.

Most team onboarding feels like showing up to a restaurant that forgot your reservation.

• No laptop. "IT needs another week."

• No accounts. "We'll sort that out later."

• No buddy. "Oh, they're on holiday this week."

• No plan. "We'll figure it out as we go.”

I've watched six-figure hires ghost after three days because we treated their arrival like a surprise party nobody planned.

The teams that nail it?

Different story.

Laptop on desk, calendar blocked, buddy waiting with coffee. First task done by Friday.

Those teams earn commitment from day one.

Why this matters: Structured onboarding isn't overhead, it's leverage. It proves you're organised, makes new hires feel valued, and builds the foundation for long-term success. You just spent three months and £15k recruiting this person. Don't blow it in three hours because you were unprepared.

The Playbook:

For Leaders: Set Them Up Right

• Start Early: Two weeks before they start, get everything ready. Laptop configured. Accounts created. Calendar blocked for their first week. Welcome pack in their inbox: security policies, system architecture diagrams, ‘how we actually work’ guide. This isn't admin work, it's your first impression.

• Script Week One: Monday: Welcome and setup. Tuesday: Meet the team. Wednesday: Security architecture deep dive. Thursday: Shadow an incident. Friday: First real task. Send them this schedule a week early, it kills their anxiety and proves you're organised.

• Check In: Day 3: "How's it going?" Week 2: "What's confusing?" Month 1: "What did we miss?" Month 3: "How can we improve?" Act on what you hear.

For ICs: You Are the Welcome Committee

• Be the Buddy They Need: When you're assigned as mentor, clear your calendar for their first week. Daily check-ins, not weekly. Share the real survival guide: which docs are current, who to go to for what, why the PKI is held together with duct tape. Your job is to make them productive, not just oriented.

• Fix What Sucked for You: Remember hunting through 50 Confluence pages to understand the security architecture? Create the one-page diagram. That week you wasted figuring out who owns what systems? Make the contact list. Don't make them suffer through the same chaos you did.

• Actively Pull Them In: Don't wait for them to find you. "Hey, I'm working on the firewall rules, want to pair?" Tag them in chat discussions. Add them to the incident post-mortem invite. Integration doesn't happen by accident.

Principle 8: Consistent 1-on-1s

Never reschedule •  focus on growth •  make them matter

Every good security leader I know has the same story.

One conversation that changed everything. The manager who saw potential. A question that unlocked a new path. Critical feedback that made the difference.

Done right, a 1-on-1 is the highest-leverage 30 minutes of your week.

Instead, most teams treat them like empty rituals.

"What are you working on?"

"Any blockers?"

"Great chat."

Both sides going through the motions. Checking the box. Wasting potential.

I've seen both extremes. Teams where 1-on-1s launched careers and teams where they killed them.

The difference isn't time or format.

It's whether you take them seriously or not.

Why this matters: People don't quit jobs, they quit teams who don't invest in their growth. Every skipped 1-on-1 says "your growth doesn't matter." Every status-update-disguised-as-coaching says the same thing. For leaders, this is your early warning system for problems and your chance to develop talent. For ICs, it's uninterrupted access to someone who can unblock your career.

The Playbook:

For Leaders: Show They Matter

• Same Day, Same Time, No Exceptions: Treat 1-on-1s like board meetings—unmovable. Your team notices every cancelled meeting. They're keeping score.

• Make It About Them, Not Their Tasks: They drive, you follow. Their challenges, their development, their feedback about you. Yes, ask how you're failing them, you probably are somehow. Sprint updates get 2 minutes max. The other 28 are for building careers.

• 80/20 Rule: You talk 20%, they talk 80%. When you feel the urge to solve their problem, ask another question instead. "Tell me more about that." "What have you tried?" "What would you do if you were me?" You'll discover problems you didn't know existed and solutions you hadn't considered.

For ICs: Maximise This Time

• Bring Your Agenda: Write down three things before every 1-on-1. What's blocking you? What skill do you need? What's driving you crazy? "Nothing to discuss" wastes everyone's time. Your manager can't read minds. Give them something to work with.

• Talk About the Real Stuff: The project you're avoiding because you don't know how to start. The skill gap that's holding you back. The teammate dynamic that's killing productivity. The promotion you want but don't know how to get. Surface the uncomfortable topics.

• Ask for What You Actually Need: Vague requests get vague responses. "I want to grow" means nothing. "I want to lead a project by EOY" or "I need mentorship on threat modelling" gets results. Be specific about support, timeline, and outcomes. Make it easy for your manager to help you.

"But My Situation Is Different”

Every security leader thinks their chaos is unique.

Your CISO is demanding. Your team is underwater. Your company is growing too fast. Your legacy systems are a mess.

You don't have time for the "human work."

So you read this series and think: “Great ideas. I’ll sort this once the cloud migration is done.” “After the Nessus re-architecture.” “Once the incident rate drops.”

Here's the problem: The technical work never stops.

There will always be another audit, another urgent project, another fire.

If you wait for the perfect time before you build your culture, you’ll wait forever.

You have to do both.

You have to fix the incident rate and build psychological safety. Design the new architecture and write the job matrix. Support the migration and fix onboarding.

It feels impossible, but only because you think you need to do it perfectly.

You don't.

You just need to start.

While you're neck-deep in technical work, try one thing:

• Draft the first version of a competency matrix for a single role. One level, one page, done.

• Block 30 minutes to write a rough "Week 1" onboarding plan.

• Keep that 1-on-1 you didn't have time for.

The teams that maintain elite performance don't have less chaos than you do.

They just don't let chaos be the reason they stop investing in their people.

You don’t win on tech; you win on teams

Tools rust. Your roadmap will change. The specific EDR you are fighting to deploy today will be legacy in three years.

Meanwhile, your attackers are evolving faster than your procurement process ever will.

The only durable advantage you have is a team of humans who:

• Flag risks early, even when it's awkward.

• Lift each other up, instead of competing for credit.

• Push back on weak solutions, even from leadership.

• Move toward one goal, without needing constant oversight.

• Know they have a future with you.

In ten years, you won't remember the Jira ticket you rushed to close this week.

But the people who stayed—or left—will remember whether you built a team where they could do the best work of their careers.

Start building that team now.

Further Reading

Three resources that changed everything for me:

• The Five Dysfunctions of a Team - Vulnerability is strength, not weakness

• Google's Project Aristotle - Psychological safety beats raw talent every time

• Managing Humans - Technical leaders should be human first, technology second