Leadership. It’s a misunderstood word. In corporations all over the world, people use the term to connote a certain job title, like “CISO” or “CTO” or “CEO.” We see it all over company websites: About Us: Leadership Team.
But the anointment of a title does not equal leadership. In truth, one of the main problems with the word “leadership” is that it implies a certain set of skills or personal attributes, yet I would bet everyone reading this short rant knows of some person who has risen through the ranks to a “leadership” position without the possession of any leadership skills whatsoever. After nearly three decades as a codified discipline, cyber security practitioners still talk about how CISOs typically come into the role—that is, some very technically skilled practitioner takes on more and more responsibility until he/she/they are the security expert in the company. As the resident expert, they are promoted to a VP or C-level position and are deemed a “leader,” someone who may even have a proverbial “seat at the table,” who reports into boards, and has numbers of employees working for them.
Too often, though, these same people have received no leadership, never mind basic management, training. Their acquired—and very valuable skills—are focused on security and technology. But the lack of experience with and training in leadership can be detrimental to the organization.
Cyber security is a business risk. Straight up, no chaser. It has become a critical business risk which can impact the productivity of entire organizations, jeopardize people’s identities, and cost companies significant ARR. In more extreme situations, cyber security risk threatens lives.
This is not meant to be hyperbolic, but we are seeing in real life how lack of leadership costs lives.
While people are not dying every day from a data breach of PII, the impacts of such a breach are significant. At present. we’re watching a former CISO face potential jailtime and half a million dollars in fines for allegedly covering up a breach and failing to report the breach properly. This is not playtime.
And as such, we need leaders in security. We need people who are more than technicians. One hundred percent we need experts who can reverse engineer malware, analyze packets, and properly implement encryption/access controls/pick-your-functional-area-of-interest. But we need leaders who learn, understand, and practice communication skills. We need leaders who learn, understand, and practice empathy. We need leaders who do what’s right rather than what’s popular or that which gains them speaking invitations. We need leaders who can make tough calls when a security incident is in question, but who can execute with humility and respect.
These are the so-called “soft skills,” yet I posit that this is a misnomer. These “soft skills” are, in fact, extremely hard to acquire. And it takes training and practice and the ability to look outside oneself. A true leader isn’t someone who seeks glory and tries to be a hero. How far will that get you in the aftermath of a breach? A true leader doesn’t conceal information to save face, because they’re afraid of repercussions, or because they want to orchestrate the response at a personal level rather than doing what’s right.
Being a leader is hard work, and in security, covering up information or holding back information about vulnerabilities or exploits has substantive impacts on people’s lives. Perhaps not in the same way as Covid-19, but without a doubt cyber breaches of confidentiality, availability, and integrity have downstream effects on people’s abilities to work, earn money, obtain credit to rent or buy a home, take out a loan to attend college, and many other real-life situations.
So if you’re a CISO or want to be a CISO, I implore you to work just as hard on becoming a better listener, better communicator, and better conduit for empowering those around you. These are just some of the attributes that make the best leaders—and we have some great examples in the security community! But do not, for one second, think that a title makes you a leader. Your actions can harm people and threaten their livelihood; it is leaders’ responsibilities to be truthful and to make difficult decisions, but do it with an understanding that the role is in service of a larger picture—one that dwarfs whether you left your RDP exposed to the internet or didn’t encrypt your customers’ credit card information.