*tap tap tap*
If you grow your security team large enough, you eventually become a manager of managers—coordinating multiple specialized teams that need to work together for the common goal of defending your employer.
You might have a red team, and a blue team, a purple team, a compliance team, an AppSec team, a DevSecOps team, an IT team. Every company has different security needs, I won’t tell you mine for confidentiality reasons, but if you reach a certain size you'll eventually get to this point.
"So Red Team I want to see you start off Adagio, then pick up the pace Alla Marcha, then I want to see Presto Presto Presto and end Tenuto of pwnage. I really want to hear that Tuba at the end. Capische?"
Micromanaging the managers who report to you is not a good way to get maximum value out of super-talented security people. I prefer to set clear strategic goals and give them the latitude to translate those strategic goals into specific tactical decisions.
But the military metaphor, like all metaphors, sometimes falls down. As the CISO of an all-civilian corporation in industry, we are not at war (although it is certainly true that North Korea wages undeclared de facto war against crypto companies in general).
Being CISO of such a large and growing team becomes also a matter of leading in harmony. All parts have to work together—play together—as part of the whole. Not to sound like some bad motivational overwritten business trade book, but it really is about teamwork.
"Blue Team, now is your time for Allegro, Allegro, but don't hesitate to go Tempo Rubato, ja? Keep the Red Team guessing, keep 'em guessing, no one knows what you're going to play next, it's a Vivace surprise. No, Tuba, not you, capische?"
There are times for solos. They are a feature, not a bug! But by the same token, you don't want your tuba player to suddenly start belting out "When the Saints Go Marching In" during your orchestra's performance of Beethoven's Ninth Symphony. The results would be unhelpful and, frankly, ludicrous.
The violins all need to play together, as a group the strings need to all play together, as an orchestra the entire group of musicians needs to play together.
And whose job is it to direct them towards a common harmony? The orchestra director.
The CISO.
"Now DevSecops... that's it... now IT... that's it, right, right, now don't forget to—yes, Compliance, we need Compliance here, don't ignore them, Adagio, Adagio, yes, yes, yes!"
All metaphors are wrong, but some are useful. Ensuring harmony in a growing team-of-teams is vital to ensuring maximum defensive security posture at a minimum cost (that is, optimizing your Security ROI).