Skip to main content

How to Motivate Cybersecurity Teams with Stretch Assignments (10–20% Time Model)


Motivating a cybersecurity team is one of the hardest challenges for security leaders. The work is high-pressure, threat-driven, and often reactive. Alerts never stop. Incidents pile up. Over time, even strong teams can lose momentum.


One of the most effective—and underused—ways to improve engagement, retention, and skill development is through cybersecurity stretch assignments. When structured correctly, these assignments empower security professionals to grow while delivering real value to the organization.


What Are Stretch Assignments in Cybersecurity?


Stretch assignments are self-directed projects that allow team members to research, build, or experiment beyond their core daily responsibilities.


In cybersecurity, this might include:

Researching emerging attack techniques

Building security automation

Experimenting with open-source tools

Creating detection logic or lab environments


The key is intentional design: these projects are aligned with business and security goals—not side hobbies.


The 10–20% Time Model for Security Teams


A proven framework is dedicating 10–20% of an employee’s work time to stretch assignments. This approach:

Encourages deep learning without disrupting operations

Reduces burnout from nonstop reactive work

Creates space for creativity and innovation


This time must be planned and protected. When leadership formally supports it, team members feel safe investing energy into long-term skill development instead of rushing back to tickets and alerts.


Let Team Members Choose Their Research Topic


Autonomy is one of the biggest motivators in cybersecurity careers. Instead of assigning topics top-down, allow team members to choose a project that fits into one of two categories:


1. Relevant to Their Current Security Role


Examples:

Improving SIEM detections

Automating repetitive SOC tasks

Evaluating a new EDR or security tool

Researching MITRE ATT&CK techniques


2. Stretching Toward Their Next Role


Examples:

SOC analysts learning detection engineering

Security engineers exploring threat modeling

Blue team members practicing purple team skills

Senior engineers developing architecture or leadership capabilities


This approach supports career growth while increasing team capability.


Example Stretch Assignment: Raspberry Pi Security Projects


Stretch assignments don’t require enterprise budgets. A Raspberry Pi is an excellent learning platform for hands-on cybersecurity projects.


Examples include:

Building a simple honeypot to observe real-world attacks

Creating a lightweight network monitoring sensor

Running open-source IDS or logging tools

Prototyping detection-as-code concepts

Testing alerting and visualization pipelines


These projects reinforce real skills—networking, logging, detection, automation—while keeping learning engaging and accessible.


Define Clear Outcomes (Without Killing Creativity)


Stretch assignments work best when expectations are clear but flexible. A lightweight structure keeps projects focused without turning them into performance traps:

Goal: What problem or question is being explored?

Deliverable: What will be shared?

Code repository

Documentation

Demo or walkthrough

Internal presentation

Timeline: Often 4–8 weeks

Knowledge Share: Present findings to the team


Even imperfect results create value through shared learning.


Why Stretch Assignments Improve Cybersecurity Teams


When implemented well, stretch assignments deliver measurable benefits:

Increased motivation and engagement

Faster skill development

More innovation from the ground up

Improved retention of top talent

Stronger security culture


They also give leaders insight into individual interests, strengths, and future potential.


Leadership Must Protect the Time


Stretch assignments fail when they are treated as optional or expendable.


Security leaders must:

Actively protect the 10–20% allocation

Encourage experimentation

Celebrate learning—not just production-ready outcomes


Not every project will succeed—and that’s part of the value.


Final Thoughts


Cybersecurity professionals rarely burn out because the work is too technical. They burn out because growth stops and the work loses meaning.


By giving your team dedicated time for stretch assignments, aligned with their current role or their next one, you build a more resilient, motivated, and capable security organization.


Sometimes, all it takes to reignite curiosity is a Raspberry Pi—and permission to build. 

Labels:

Comments

Post a Comment

Popular posts from this blog

Asset Management - Physical Devices - What do you have? Do you know?

Asset management and inventorying your physical systems, we all know we should do it, and I am sure most try.  I am not going to talk about the should have, would have or could have. Instead, I am going to focus on the risks associated with the NIST CSF control ID-AM.1.   The control simply states, “Physical devices and systems within the organization are inventoried.”  At the simplest level, this control is saying that the organization inventories all physical systems that are apart of the information system. In my opinion, the control is foundational because how can you secure something if you don't know it exists.  If you are not inventorying your systems, how do you know if they have adequate controls to protect the data and network.   If you had a breach of data, would you know what type of data was involved, or would you even know if you had a breach?  To further extend this, how can you perform a risk assessment on the system to understand and relay ...
Post a Comment
Read more

Vulnerability Management… It’s easy - Planning

I am sure you have had either consultants, vendors, or heard at a conference that vulnerability management is foundational security control.  While I agree that it is an essential control, I also understand that it is challenging to implement.  Vulnerability management is not just to pick a tool, scan, and fix issues.  Many components make it a complicated journey.  This series will attempt to help break it down and give you ideas on how this complex service and be delivered effectively.    Planning   Objective When you start, I recommend creating a targeted objective and set of measures against your objective.   Ensure that you keep in mind your organization’s culture, politics, and risk appetite as you are developing your objective.   I have seen some target just “critical” systems for regulatory compliance, whereas others have targeted their entire enterprise.   No matter your scope, keep in mind your team’s current resource...
Post a Comment
Read more

The Detect Function in NIST CSF 2.0: The Risk of Seeing Too Late—or Too Much

In NIST Cybersecurity Framework 2.0 (CSF 2.0) , the Detect function represents the organization’s ability to identify the occurrence of a cybersecurity event in a timely and reliable manner . While Protect focuses on reducing the likelihood of compromise, Detect determines how quickly and how accurately an organization recognizes that something has gone wrong. For CISOs and security leaders, detection is where many programs quietly fail. Not due to a lack of tools, but due to poor signal quality, unclear objectives, and misalignment with business impact. Detection that is late, noisy, or misunderstood can be as damaging as no detection at all. Official NIST CSF 2.0 guidance is available here: https://www.nist.gov/publications/nist-cybersecurity-framework-csf-20 What the Detect Function Is (and What It Enables) Under CSF 2.0, the Detect (DE) function focuses on outcomes related to: Continuous monitoring Anomalies and event detection Security logging and analysis Threat intelligence ...
Post a Comment
Read more