AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Building Cybersecurity Teams

Matthew Marji shares strategies for building cybersecurity teams, embedding security into engineering culture, and fostering collaboration and trust.

Cybersecurity today is a complex, ever-shifting challenge that requires more than just technical skill—it demands strong communication, strategic alignment, and a culture of continuous learning. Leaders face the dual task of securing rapidly evolving products while competing for scarce talent.

We sat down with Matthew Marji, Head of Security at Narvar and a security leader with experience at companies like Okta and Auth0, to discuss his approach to building resilient cybersecurity teams, embedding security into engineering culture, and ensuring security has a seat at the leadership table.

This article captures Matt’s insights, offering a roadmap for security leaders navigating the modern threat landscape.

You can read the complete transcript of the epiosde here >

What Key Qualities and Skills Should Organizations Look for in Cybersecurity Professionals?

Hiring the right mix of talent is crucial, especially as cyber threats evolve rapidly. Matthew breaks down the essential traits into non-technical and technical skills.

Non-Technical Qualities

Given the prevalence of distributed organizations and the need to effectively communicate risk across the business, communication is paramount.

  • Strong Oral and Written Communication: Professionals must be able to synthesize technical concepts and break them down easily for others to consume. This includes taking a technical vulnerability (like an injection that causes data exfiltration) and explaining how to reproduce it in an easily digestible fashion.
  • Tailoring Language: A key skill is tailoring the language—the level of technicality used with an engineering team will be different from that used with leadership.

Technical Qualities

For startups and initial hires, Matthew prioritizes hands-on capability over specialized, current knowledge.

  • Hands-On Capability (Code Literacy): The security professional must have the ability to be side-by-side with a developer to look at code, have a back-and-forth conversation, and discuss ways things can go wrong. The ability to read and write code is critical.
  • General Adaptability: Security is constantly evolving (e.g., changes in the OWASP Top 10 from 2017 to 2021). Matthew is not necessarily looking for expertise in specific, current technical skills, as the team will have to continue learning as the threat landscape changes.

What Strategies Work Best for Attracting and Retaining Cybersecurity Talent?

Matthew believes trust, collaboration, and transparency are key to both attracting and retaining talent.

Hiring Strategies (Attraction)

  • Transparency in Role: Share what candidates will actually do in the role, including current areas the team is looking to improve or work on, to give candidates a great idea of what they will be working on from the beginning.
  • Collaborative Challenges: Matthew prefers collaborative technical challenges that are spin-offs of real-life challenges the organization has faced.
    • Example: Reviewing code for vulnerabilities while refactoring how JWTs are manipulated. The output is a vulnerability ticket that would be passed to an engineering team.
  • Assessing Multiple Skills: This collaborative approach assesses both technical and communication skills in real-time, moving beyond quiet assessment to a joint effort.

Retention Strategies (Building Trust)

  • Trust and Transparency: Matthew equates transparency to trust. Establishing trust and clear lines of communication early on, even during the interview process, is key to building a strong security organization.
  • Constant Collaboration: The goal is constant collaboration between security and engineers, ensuring a transfer of information both ways and fostering a trustful relationship.
  • The “Give and Take”: Security should look for opportunities to provide guidance, early review, or assistance to engineering teams. By providing guidance and value, engineering teams begin to reach out early (e.g., “I should reach out to so and so for their opinion before I miss anything”).

How Should a Startup Prioritize its First Security Hire and Program?

Startups face unique constraints (budget, expectations) , and there is no one-size-fits-all approach for their first security hire.

  • Prioritize Business Risk: The best way to identify the next step is to register the business security risks. Assessing risk across the business determines whether the next step should be a simple contractual third-party security team, a technical hire, or an InfoSec/CISO hire focused on compliance and privacy.
  • Align with Business Needs: At Narvar, the organization started with compliance and privacy first, and then moved on to building out security engineering, which aligned with the business needs at that time.

Evolving Skill Needs

The skills and experience needed evolve as the company’s technology evolves.

  • Infrastructure as Code (IaC): Three to five years ago, IaC (Helm, Terraform) was less common, but it has now exploded. Security must be aligned with the business’s technical direction, meaning security engineers need experience in Kubernetes and IaC.

How Can Organizations Bake Security into Engineering Culture from the Beginning?

It’s a reality that, for many organizations, especially startups, security may not be the first thought—cash flow, customers, and product building often take precedence. Therefore, integrating security into the culture requires a pragmatic, continuous effort based on demonstration.

  • Demonstrate Relevance (“Show and Tell”): Security must establish its relevance by providing evidence of how important security is to a particular product or leader.
    • Leading by Example: Matthew has spent time reviewing a product, found a vulnerability, created an exploit for it, and then shared this hands-on demonstration to show the importance of being ahead of these issues.
    • Shock Value: Showing a hands-on exploit gives shock value that makes people remember the issue and tend to value security more.
  • Lead by Example: Security professionals need patience, realizing that the culture is not built overnight. The best way to start is to lead by example, get more people interested, and empower engineers with the tools and resources to do the same.
  • Vulnerability as a Learning Opportunity: Every vulnerability should be seen as an opportunity to enlighten a developer or team on what went wrong and how to improve for the future—not as a chance to point out a mistake.

Why Must Cybersecurity Have a Seat at the Leadership Table?

If security is considered a separate, second-tier function that only provides tooling and a second pair of eyes, it becomes second-tier and isn’t integrated with the company’s roadmap.

  • Product Roadmap Integration: Security must be tied in to all elements of what the company is delivering to customers year over year. This ensures that from an early design stage, security has a say on how the company thinks about data management, secret management, and new infrastructure needed to support the product.
  • Organizational Alignment: The key is alignment. Security needs to have its own roadmap (with OKRs) that aligns with the business roadmap to continue seeing growth in the security organization.

How Can Organizations Foster Collaboration and Continuous Learning?

Fostering Collaboration

To overcome the common friction between security and engineering (similar to that between developers and QA), security teams should focus on integrating with and extending the engineering team.

  • Extension of the Team: Security engineers should aim to understand the product just as well as an engineer on the team. This allows security to not only provide recommendations but also help if needed, essentially playing an extension of the team.
  • Security Champions: This approach can lead to each security engineer being seen as a security champion and a point of contact for security concerns or questions. However, a Security Champion program requires a certain level of security maturity and a strong, well-rounded security team that has empowered the engineers.

Continuous Learning and Awareness

Awareness training often fails when it’s treated as a one-time checkbox exercise.

  • Avoid Non-Interactive Training: Trainings consisting of long-form videos, slides, and quizzes with unlimited retries are a “big no” and a “waste of time”.
  • Prioritize Hands-On and Interactive Learning: The best ways to engage are with interactive and engaging methods.
    • Platforms: Platforms like Secure Code Warrior offer fantastic interactive experiences that make users feel like they are a hacker looking to attack or defend, putting them in a real-life scenario.
    • CTFs: Engaging with hands-on exercises like Hack the Box or other Capture The Flag (CTF) events is highly beneficial.
  • Consistent Engagement: When things aren’t consistently checked in with, people forget. Security needs to be on the forefront of developers’ minds, ensuring they are invested in how to think about it.
  • Leadership Investment: All interactive learning methods are investments of time and resources. This requires a conversation at the top to dedicate time away from product building or technical debt to invest in security education and awareness.

What Advice Does Matthew Marji Have for Aspiring Cybersecurity Professionals?

For those looking to build a career in the rapidly expanding cybersecurity field:

  • Find Your Niche: Security is becoming very broad. Think about areas you enjoy and want to excel in:
    • Red Team (Penetration Testing): Focused on breaking things and looking for vulnerabilities.
    • Product Security: Being a generalist with a strong understanding of application code and infrastructure.
    • Information Security: Leadership focused on compliance, privacy frameworks, and the overall landscape.
  • Be Technical: Build the technical ability to dig in and truly understand how something works. Technical knowledge can be translated into the right information for leaders.
  • Hands-On Learning: Dive into the content and get hands-on. While certifications are important, they aren’t the be-all end-all. Work on a project, write an article, or take a course to continuously stretch your brain and prove you are learning.
  • Engage with Communities: Get involved in virtual and in-person communities (like Bsides). This is a great way to connect with like minds to both learn and share knowledge, which is critical for growth.

Conclusion: The Security Leader as a Collaborator and Educator

Matthew Marji’s approach defines the modern security leader not as a gatekeeper, but as a collaborator, educator, and strategic partner.

By prioritizing code literacy, demanding strong communication, and using real-life challenges for evaluation, leaders can hire the right talent. By embedding security into the product roadmap and constantly demonstrating value to engineering teams through collaboration and interactive training, organizations can build the trust necessary to shift security from a bottleneck to a shared responsibility. The central theme remains: it depends on the organization’s stage and primary focus, but the principles of continuous engagement and alignment are universal.

More Resources from Cloudanix

Continue exploring Cloudanix

Connect this concept to the platform

These learning topics are most useful when tied back to cloud posture, identity, runtime, data, and agent workflows.

Platform CNAPP+

See how Cloudanix connects code, cloud, identity, data, access, and AI agents in one graph.

 Detection Cloud Detection and Response

Move from isolated logs to graph-backed cloud investigation and response.

 Graph Attack Path Analysis

Prioritize vulnerabilities and misconfigurations by reachability and blast radius.

 AI Security Agentic AI Security

Secure coding agents, MCP tool access, and temporary cloud credentials.

What Our Users Are Saying

Customer Reviews

Cloudanix is trusted by security leaders worldwide to deliver proactive, reliable, and cutting-edge cloud security.

One day, I changed the password of a root account, and my CTO called me within less than a minute to confirm if I did so. I was not expecting a reaction this quick. He told me Cloudanix alerted him of this password change and that he wanted to confirm as it was a critical security notification. I couldn't believe it!

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Compliance is one way of staying secure, but what I want is the ability to go deeper and attain 'true security.' Cloudanix provides us the capability to do so.

Vishal Madan
Vishal Madan
Head of Engineering, iMocha

Cloudanix is building for the future of the cloud, which makes the product all the more desirable.

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Cloudanix gave us the visibility we were missing. Being able to move from permanent access to a robust Just-In-Time (JIT) workflow has fundamentally changed our security posture without slowing down our engineering velocity.

Pavan Kumar Lekkala
Pavan Kumar Lekkala
SRE Lead, HugoHub

We are excited to leverage Cloudanix's comprehensive multi-cloud DevSecOps solution to secure our production workloads on AWS. Cloudanix has demonstrated that it can solve many challenges that DevSecOps teams face while continually adding new features such as SOC2 compliance and drift detection.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Managing third-party partner access was once a major concern for our security posture. With Cloudanix JIT Cloud, we've effectively achieved zero third-party risk. We can now grant access confidently, knowing that it is temporary, audited, and automatically revoked, resulting in a 100% reduction in our privileged access exposure.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

The snooze feature and responsible alerts have helped us save time and prioritize what to tackle first.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Implementing Cloudanix JIT internally allowed us to practice what we preach. By eliminating permanent access to our own clouds and databases, we've neutralized the risk of standing privileges, ensuring our own 'keys to the kingdom' are never left exposed.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

The problem with permissions is a lot of times, the gaps are left open due to oversights from inside the organization itself. With Cloudanix's CIEM, we get a complete view of user permissions and access. This enables us to update the permissions, reducing the attack surface.

Nilesh Pethani
Nilesh Pethani
Application Architect, iMocha

In the world of Fintech, trust is our currency. Cloudanix provided the frictionless visibility we needed to secure our EKS workloads across AWS, ensuring we stay audit-ready for SOC2 and GDPR without slowing down our engineering velocity.

Amol Naik
Amol Naik
Head of Security & Infrastructure, HugoHub

Cloudanix delivered value within 5 minutes of onboarding. Continuous monitoring, timely detection, and excellent documentation helped us attain a great cloud security posture.

Divyanshu Shukla
Senior DevSecOps, Meesho

Technology strategies and business strategies are in a state of constant change which includes centralization and decentralization of responsibilities. Regardless of strategic shift, we still have intellectual property to protect. Cloudanix are critical partners for us in our public cloud security posture across our three cloud providers.

Jerry Locke
Jerry Locke
Senior Director Global Solutions Engineering, Eversana

Cloudanix has been amazing. They opened up a common Slack channel with us — and it feels like we are talking to our own team and getting things done with Cloud security. The support team is always available, friendly, helpful, and ready to go out of their way.

Satish Mohan
Satish Mohan
CTO, Airgap Networks

Beyond just access management, Cloudanix CSPM has given us a unified view of our AWS environment. The real-time alerting and anomaly detection allow us to prevent any untoward activity before it happens, which is critical for a marketplace connecting 50+ financial institutions.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

For a Fintech company, data is our most valuable — and most sensitive — asset. Cloudanix DAM hasn't just improved our visibility; it has given us control. The ability to mask data and prevent unauthorized queries in real-time is a game-changer for our compliance and customer trust.

Jiten Gala
Jiten Gala
President Engineering and Product, Kapittx

Our clients, especially in the Middle East financial sector, demand absolute accountability. Cloudanix JIT Cloud has been a competitive differentiator for us, allowing us to provide secure, governed access to customer accounts that meet their strictest audit and compliance requirements.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

Cloudanix is always on my team's lips because of its exceptional support. Be it a small or big query, Cloudanix has gone above and beyond to resolve them. This one's a keeper for us.

Sujit Karpe
Sujit Karpe
CTO, iMocha

For a long-lasting partnership, great support goes a long way. Cloudanix has delivered exceptional support whenever required. Their edge is their team is always ready to go beyond to solve any issues that we have. This speaks volumes about the culture at Cloudanix.

Akash Maheshwari
Akash Maheshwari
Co-founder, MoveInSync

Beyond the technology, Cloudanix feels like an extension of our own team. Their willingness to stand up a dedicated Middle East tenant for us and provide exceptional support at a sensible price makes them a long-term partner for Hugosave.

Surya Tamada
Surya Tamada
CTO, HugoHub

The real-time notifications that Cloudanix provides are a real lifesaver. Their adaptive notifications ensure that my team stays productive and doesn't get interrupted all the time.

Digvijay Singh
Staff Security Engineer, Meesho

The whole point in technological evolution is to help improve the world we live in. We must protect that and to do so requires an effective and efficient security strategy. The Cloudanix team helped make our public cloud security posture management strategy a reality. The symbiotic relationship we have allows for a continuous feedback loop which is how business should operate.

Larry Wheat
Larry Wheat
Staff Solutions Engineer, Eversana

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo