HMG: Stephen, it’s been awhile since we last spoke. What are you up to these days? 

Stephen Spagnuolo: I just returned from Newport, R.I. where I attended the U.S. Naval War College’s 2nd Annual Navy-Private Sector Critical Infrastructure Cyber War Game. I was participating as the guest of the Center for Cyber Conflict Studies Chairman, Philip Bilden. In addition to senior thought leaders from across DoD and Government, the largest cadre of participants was comprised of very senior corporate decision makers ranging across the private sector, from both the financial services and non-FS spaces. As one of the few folks in attendance who has worked across each of the three core components engaged in the war game – DoD/Government and Wall Street and non-FS – I went in with a pretty good perspective on how each of the communities think and operate.

A ton of raw data came out of it and I look forward to the published after-action report, which will not only benefit our Naval Services, but also and more broadly the public-private cyber community. Incidentally, the NWC Foundation’s cyber prospectus is probably the most comprehensive yet concise state of cyber play document that I’ve come across – it’s very cogent, very compelling. A ‘call to arms’ that’s written for the cyber layman.

I’m also spending time, whenever the opportunity permits, with FBI cyber folks at FBI-sponsored cyber events. In my professional opinion, I think cyber fusion cells are the new-model pathway to aggregating the best full spectrum resources to maximize connectivity and effective counter cyber activity. Wall Street as a sector has really been out in front on cyber, and so in the U.K. you have the National Cyber Crime Unit, and here at home we have the Financial Systematic Analysis & Resilience Center (FSARC), which is comprised of the eight largest U.S. banks working in partnership with Treasury, DHS, and FBI. I know this has been said countless times before on the HMG CIO and CISO stage, but it begs team leaders for every company of at least mid-tier size should know who their local FBI counterpart is, and ideally will have a well-established working dialogue in place.

I think the HMG Strategy CISO Summit series we’ve just rolled out is critically more important than ever in terms of establishing circles of peer-to-peer collaboration. The New York CISO summit in April was spectacular on so many levels. It was a privilege to be called upon to help out.

HMG: What’s new on the recruiting and cyber leadership side? 

SS: We’re seeing some very exciting developments around our CyberSecurity Recruitment & Leadership Advisory Practice. We are now deploying – in close partnership with a cadre of cyber luminaries working under our ZRG CyberSecurity banner – an expanded solution offering to our clients. This includes:

  • Assessing their security team’s bench strength capabilities via our bespoke qualitative security leadership assessment. This is for the CISO/CSO on down, and we work collaboratively with our cyber partners. More granularly, our Technical-Functional Security Assessment is a very potent offering; it’s a 1-to-1 technical deep dive against functional security requirements and best practices, and is conducted by one of our cyber luminaries.
  • Advising, mentoring, and developing the security team’s leadership bench via enhancing their leadership capabilities, assessing the security leadership plan, 1-1 mentoring, etc.
  • Developing successor leaders on the security bench. This is critical given the current cyber leader talent shortage; and our cyber veteran collaborative partners play a crucial role in delivering here.

My ZRG partner and good friend, David Sheahan, brings vast experience working with clients across the talent advisory spectrum, particularly in the areas of assessment. He’s been instrumental in helping me roll this out on behalf of our clients. As David likes to open up with clients... What’s the plan? What talent do you have? What talent do you need? How will you get there – build it or buy it?  That kind of says it all, don’t you think?

HMG: What else is new on the leadership front? 

SS: This is new frontier stuff. This cyber fight we’re in requires a fundamental and wholesale paradigm shift to how we collectively think, engage, and ultimately win on the cyber battlefield. We must unshackle ourselves from long established operating models we’ve heretofore clung to. This takes time – the bad guys know and are leveraging this. They also understand that, by nature, most humans are risk-averse. Most folks simply are not wired to feel comfortable nor confident operating in the blind, with little if any certainty, which is really the essence of this vast cyber dilemma we’re collectively engaged in. The bad guys are smart and crafty, and they are leveraging these two critical imbalances – old operating models and our aversion to risk – to their supreme advantage. “Our lawyers say we can’t do this...” must not be the go-to default option when confronted with uncertainty. It’s up to the courageous cyber leader to resist these status quo inclinations and press boldly forward.

I submit to you that leadership is the one critical advantage that the good-guy cyber ecosystem possesses, which the bad guys don’t. Sure, many cyber bad guys out there have some form of organizational command structure. But they tend to not pay attention to, let alone invest in, leadership. Purposeful leadership is the greatest advantage that our cyber community can leverage over our adversaries during this ‘wilderness period.’ I’ll take purposeful leadership, over spiritless command with shaky leadership, every time.

Good leadership is a never-ending cycle of continuous reflection and improvement to optimize capabilities, and then pushing beyond that perceived potential. Quiet confidence and sustained superior performance wins the day. It will be a good 8-to-10 years before our cyber ecosystem bench numbers markedly increase, before we really see some form of cyber battlefield parity. It’s individual dynamic leadership that’s going to get us through this long and challenging stretch, grinding it out day in day out. This is why developing the security leadership bench is so critically important.