How to Motivate Cybersecurity Teams with Stretch Assignments (10–20% Time Model)

Motivating a cybersecurity team is one of the hardest challenges for security leaders. The work is high-pressure, threat-driven, and often reactive. Alerts never stop. Incidents pile up. Over time, even strong teams can lose momentum.

One of the most effective—and underused—ways to improve engagement, retention, and skill development is through cybersecurity stretch assignments. When structured correctly, these assignments empower security professionals to grow while delivering real value to the organization.

What Are Stretch Assignments in Cybersecurity?

Stretch assignments are self-directed projects that allow team members to research, build, or experiment beyond their core daily responsibilities.

In cybersecurity, this might include:

• Researching emerging attack techniques

• Building security automation

• Experimenting with open-source tools

• Creating detection logic or lab environments

The key is intentional design: these projects are aligned with business and security goals—not side hobbies.

The 10–20% Time Model for Security Teams

A proven framework is dedicating 10–20% of an employee’s work time to stretch assignments. This approach:

• Encourages deep learning without disrupting operations

• Reduces burnout from nonstop reactive work

• Creates space for creativity and innovation

This time must be planned and protected. When leadership formally supports it, team members feel safe investing energy into long-term skill development instead of rushing back to tickets and alerts.

Let Team Members Choose Their Research Topic

Autonomy is one of the biggest motivators in cybersecurity careers. Instead of assigning topics top-down, allow team members to choose a project that fits into one of two categories:

1. Relevant to Their Current Security Role

Examples:

• Improving SIEM detections

• Automating repetitive SOC tasks

• Evaluating a new EDR or security tool

• Researching MITRE ATT&CK techniques

2. Stretching Toward Their Next Role

Examples:

• SOC analysts learning detection engineering

• Security engineers exploring threat modeling

• Blue team members practicing purple team skills

• Senior engineers developing architecture or leadership capabilities

This approach supports career growth while increasing team capability.

Example Stretch Assignment: Raspberry Pi Security Projects

Stretch assignments don’t require enterprise budgets. A Raspberry Pi is an excellent learning platform for hands-on cybersecurity projects.

Examples include:

• Building a simple honeypot to observe real-world attacks

• Creating a lightweight network monitoring sensor

• Running open-source IDS or logging tools

• Prototyping detection-as-code concepts

• Testing alerting and visualization pipelines

These projects reinforce real skills—networking, logging, detection, automation—while keeping learning engaging and accessible.

Define Clear Outcomes (Without Killing Creativity)

Stretch assignments work best when expectations are clear but flexible. A lightweight structure keeps projects focused without turning them into performance traps:

• Goal: What problem or question is being explored?

• Deliverable: What will be shared?

• Code repository

• Documentation

• Demo or walkthrough

• Internal presentation

• Timeline: Often 4–8 weeks

• Knowledge Share: Present findings to the team

Even imperfect results create value through shared learning.

Why Stretch Assignments Improve Cybersecurity Teams

When implemented well, stretch assignments deliver measurable benefits:

• Increased motivation and engagement

• Faster skill development

• More innovation from the ground up

• Improved retention of top talent

• Stronger security culture

They also give leaders insight into individual interests, strengths, and future potential.

Leadership Must Protect the Time

Stretch assignments fail when they are treated as optional or expendable.

Security leaders must:

• Actively protect the 10–20% allocation

• Encourage experimentation

• Celebrate learning—not just production-ready outcomes

Not every project will succeed—and that’s part of the value.

Final Thoughts

Cybersecurity professionals rarely burn out because the work is too technical. They burn out because growth stops and the work loses meaning.

By giving your team dedicated time for stretch assignments, aligned with their current role or their next one, you build a more resilient, motivated, and capable security organization.

Sometimes, all it takes to reignite curiosity is a Raspberry Pi—and permission to build.