Cybercrime continues to grow in both volume and complexity, challenging agencies of every size. As more departments consider dedicated cyber capabilities, veteran Los Angeles County Sheriff’s Department Sgt. Peter Hish argues that success depends less on technology and more on three foundational leadership decisions made before the unit opens its doors.
Thank you for reading this post, don't forget to follow and signup for notifications!
By Sergeant Peter Hish
Cybercrime today demands a capable cyber unit at every agency. The question is no longer whether to build one. It is how to build one that will still be working two years from now.
Most units that thrive got three decisions right early. The decisions are not technical and they are not exotic. They are the kind a chief makes before the first detective is hired, often without realizing how much weight they will carry. The good news: all three are recoverable, but only if a chief sees the drift before it hardens.
Decision 1: Mission scope
The scope memo is the most undervalued document a chief writes. One page, often drafted in an afternoon, and yet it determines what the unit becomes.
Here is the pressure the unit will face on day one. Cyber is in almost every crime now. A traditional detective working domestic violence pulls texts, social media exchanges and cloud-backed photos. Theft cases turn on Ring footage and payment-app history. Burglary squads request cellphone extractions. Threat cases live entirely on platforms. The cyber unit will be asked to help with all of it, and most of the requests are legitimate. Without a scope memo, “help” turns into “own,” and the unit fills with work it was not funded to carry.
The deeper problem is not workload. It is credibility. A unit fielding routine extractions and OSINT pulls for 18 months produces a worrying year-two briefing: lots of activity, no signature cyber cases. The chief is then asked by council why the agency funded a specialized cyber unit instead of expanding the patrol-detective bench. That question has no good answer if the unit cannot point to anything it built.
Three drifts show up in the units that did not write a scope memo:
1. Cellphone-forensics drift
Patrol or detectives ask for a quick Cellebrite extraction. The cyber unit is the only place in the agency with the tool, so it says yes. Six months later, the unit spends most of its week on routine extractions and only a fraction on real cyber casework. Forensics and cyber investigations are different crafts. A forensic examiner acquires and analyzes devices. A cyber investigator builds cases: subpoenas, undercover work, cryptocurrency tracing and court testimony. A unit doing routine extractions is borrowing labor from the work it was funded to do.
My unit caught the drift early. In month six, a “quick extraction” tied up most of a week while a cryptocurrency fraud lead sat untouched. The numbers at that point were still healthy (three phone extractions, 18 cyber cases), but the trajectory was clear: If we kept saying yes, we would invert. We changed the intake rules, stopped accepting every device request and pushed routine forensics back to the assigned investigators. We wrote the scope memo we should have written on day one.
2. Open-source-on-demand drift
The investigations bureau wants a Facebook background on a person of interest. Risk management wants an Instagram check. A captain asks for an OSINT pull before a community meeting. All useful work, none of it the case-building the unit was created to do.
3. Executive-protection drift
The chief’s office wants an executive’s email scanned for phishing exposure. The unit now reports to two masters, and the second one outranks the first.
A chief without a scope memo by month 18 is the chief explaining to council why the new cyber unit has not produced a real cyber case. That conversation rarely ends with the unit’s budget intact.
A healthy unit at month 12 can answer “how many of our intakes were inside scope?” in under a minute. The scope memo is reviewed quarterly. Patrol and traditional detectives know the difference between “the cyber unit takes this case” and “the cyber unit helps us with this case.”
Decision 2: Federal partnership posture
The federal partnership decision is where chiefs often look for a right answer. There isn’t one. There are three operational postures, each with a tradeoff bundle, and the strongest move is to choose deliberately rather than drift into whichever federal relationship calls first.
The Secret Service Electronic Crimes Task Force model gives the unit a fast lane to financial-fraud assistance, a formal MOU and a defined training pipeline. The tradeoff is that case routing tends to follow federal interest, statistical credit splits get negotiated and the investigator’s time is partly committed to the task force’s caseload. If the agency’s cyber pain is heavy on business email compromise, romance scams, payment-app fraud and elder financial exploitation, the ECTF posture aligns well.
The FBI Cyber Task Force model gives the unit access to federal prosecution pathways, a Top Secret clearance opportunity for the assigned investigator and a window into national-level cyber intelligence. The tradeoffs are case rotation expectations, federal prioritization that can pull the investigator off local work and shared attribution rather than clean local clearance. If the agency’s cyber concerns lean toward nation-state activity, ransomware against critical infrastructure or significant intrusion casework, the CTF posture pays back its costs.
The independent posture, with informal liaison rather than full task force membership, gives the unit complete local case ownership, a clear local-prosecutor pipeline and no rotation. The tradeoffs are slower subpoenas through major providers, fewer guaranteed training seats and the absorption of scale challenges alone.
None of these is the right answer in the abstract. The right answer depends on the agency’s caseload profile, its prosecutor relationships and the political appetite for federal entanglement. The mistake is treating the decision as a sequence (“we’ll join the task force later”) because the choice shapes the unit’s training plan, its evidence-handling SOPs and even how its case management system is configured.
A chief who drifts into the wrong federal posture and tries to switch in year two faces a near-impossible reset: retrain investigators, renegotiate MOUs, rewrite SOPs and explain to the partner agency why the unit is walking back its commitments. The decision feels reversible at month three. It is not reversible at month 24 without cost.
A healthy unit at month 12 has a chosen posture, a signed MOU, a training pipeline that reflects the choice and a documented expedited path for cyber procurement.
Decision 3: Staffing model
Staffing is where the unit lives or dies in practice, and it is where most agencies under-plan. The cyber unit is built from three different crafts, not three flavors of the same hire. The cyber detective builds cases through subpoenas, search warrants, undercover personas, cryptocurrency tracing and court testimony. The civilian analyst lives in data: OSINT, link analysis, blockchain analytics and structured-data mining. The forensic examiner is closer to a lab role: device acquisition, image analysis, mobile-device extraction and the rigorous documentation that makes evidence admissible. A staffing plan that conflates these three will produce an undertrained team in all three areas.
Three hidden realities shape the staffing build:
1. Time to working independence
A capable detective pulled from patrol is not productive on cyber cases on day one. NW3C foundational courses are competitive. NCFI seats are often booked 12 months out. SANS courses run six to 12 months from registration. A realistic time to independence is 12 to 18 months. Chiefs who plan as if the new investigator will produce in month three are setting up a year-two reckoning.
2. The analyst’s economic profile
Civilian analysts often look like the budget-friendly option until the agency tries to hire and retain one. Analysts with cryptocurrency-tracing or advanced OSINT experience compete with the same private sector that bids for sworn detectives. The cost gap narrows the more skilled the analyst becomes.
3. Retention
Once a detective passes NCFI cellphone forensics and adds a SANS GIAC certification, that person is a $180,000 to $225,000 private-sector hire in Southern California. The same applies to an analyst with cryptocurrency-tracing experience. The unit needs a written career path, a documented succession plan or, at minimum, a planned return to patrol for investigators who choose to move on. A unit without one is two resignations from rebuild.
A chief without a written staffing plan watches the first wave of trained investigators leave for the private sector in year two and starts the unit over. The cost of replacing a fully trained cyber investigator is not the salary line. It is the 18 months of ramp time the agency just paid for and lost.
A healthy unit at month 12 has a nonzero, predictable training-budget line item, the three crafts documented and a career path on paper.
Five early warning signs your cyber unit is drifting off course
A young cyber unit produces consistent signals when it is drifting off course. Five worth watching in years one and two:
- Scope-fit ratio drops below 70%. Intakes are falling outside what the scope memo names. The unit is fielding work it was not funded for, and the year-two cyber-casework briefing is going to be thin.
- Service-request-to-case-opening ratio exceeds 1:1. More ad hoc service requests than case openings means the unit is extracting devices and pulling OSINT, not investigating. The craft drift has started.
- Time to first investigative step exceeds 21 days. Victims are not hearing back inside three weeks. Cases are stalling at intake. The community starts hearing that the cyber unit is a black hole.
- Personnel retention drops below 80% of baseline at month 18. The unit is leaking trained people faster than it can train new ones. The year-three staffing model is in trouble.
- Federal-referral pattern shifts suddenly. A spike or a halt in either direction signals the partnership posture is moving, often without anyone naming it. Worth a closer look before the drift becomes the new normal.
These are diagnostic, not aspirational. When the numbers move, the chief has a window to correct course before the drift hardens into the unit’s structural identity.
The demand on cyber units will not slow down. Cyber is the connective tissue of modern crime, and the agencies without a credible cyber capability are losing cases, losing trust and losing ground. None of this is mysterious. All of it is doable.
The three decisions described here are not technical. They are leadership decisions a chief makes in the first 60 days of standing up the unit, often before the first detective is hired. The chief who treats them as administrative trivia is the chief who, two years from now, is explaining to council why the cyber unit needs to be restructured. The chief who treats them as core leadership work is the chief who, five years from now, has a unit that other agencies study.
About the author
Sergeant Peter Hish is a 27-year veteran of the Los Angeles County Sheriff’s Department, where he has supervised its cyber and fraud team for the past decade. He built the unit he describes in this article and now teaches the same material to incoming command staff through the National Public Safety Innovation Academy at Polk State College and the Regional Training Center in Fountain Valley. A U.S. Army veteran, he is the founder of Sentinel Vault, publisher of the Sentinel Vault Insights blog, and author of “Hacked or Hardened? The New Reality for Business Owners.”
| WATCH: Sergeant Peter Hish discusses the impact of identity theft on victims:
