Security Team Leadership – the ‘X’ Factor

Published on CSO Online

With global malware Petya wreaking havoc this week, on the back of last month’s WannaCry ransomware hack, it’s clear that cyber mayhem is an ever present disrupting challenge confronting many/most companies daily.

Many of our client companies have come a long way in relatively short time with regard to emboldening their digital security posture.  Many of these same clients want to do still more; but they understandably feel hamstrung by the vast talent shortage in the cyber market.

Leadership.  It’s all about leadership . . .

I’ve been having more than a few discussions with clients these past months around leadership . . . the importance that strong and dynamic leadership plays in corporate digital security teams executing their mission.  Let me cut to the chase . . . Arguably the quality of the security team’s leadership bench is directly proportional to that team’s mission performance.  With technology product capability generally residing in the same bandwidth range from platform to platform, the difference—the outlier, the force multiplier—between good and exceptional security performance is strength of leadership.

As a headhunter, my core function is to identify and deliver exceptional talent optionality for my clients’ strategic hiring mandates.  It’s often a very interesting and (I believe) important service offering.  More fundamentally critical to my own mission purpose is creating bespoke solutions around our clients’ key talent initiatives.  And while I’ve been advocating for several years now (and writing on these pages) the necessity of considering ‘alternate profile candidates’ for CISO hiring initiatives—there are exceptional CFOs, COOs and CROs at quality down market companies who can very effectively transition to the CISO remit for up market companies—there are other innovative bespoke measures senior management can take short of recruitment.

How does the digital security leader get from here to there?

One of the truly game-changer initiatives ZRG CyberSecurity has embarked upon is engaging a range of veteran cyber luminaries to work in close partnership with us (under our ZRG CyberSecurity banner) . . . to deliver expanded solutions deliverables to our clients.  Prominently featured:

  • Assess the Security Team’s bench strength capabilities, across . . .
    • qualitative security leadership assessment
    • technical-functional security assessment
  • Advise, mentor and develop the Security Team’s leadership bench, via . . .
    • 1-1 extended term mentoring to CSOs/CISOs
    • developing successor leaders
  • Briefing to C-Suite / Board,in concert with and/or on behalf of CISO/CSO

This is not about ‘beat my chest, follow me leadership’.  This is about quietly and methodically doing what it takes day in day out to get the job done.  Sustained superior performance wins the day.  The good leader intuitively gets this; and is driven by this.  Training and motivating the security staff; cross training across key functions.  Communicating realistic situation reports to senior management—this is where our capability is now, here’s where we can be effective and here’s where we’re going to fall short, this is what I need to elevate to this level, and [equally] this is what I can do without.  Similarly, keeping the security team fully updated, always—this is where we are, this is where I expect us to be, this is where we’re elevating to, and this is what we’ll have to do without for the time being.

Being a good leader is being situationally aware, and practicing insightful decision-making.  Quiet confidence, emotional maturity, self-awareness are hallmarks of exceptionally effective leaders. Recognizing one’s own gaps and one’s team’s gaps, and taking corrective action.  Actively soliciting and welcoming new ideas from the staff. These are all essential aspect of dynamic leadership.

One of the very interesting developments in this still Wild West market is the seemingly hyper flow of new product innovation.  No doubt CSOs and CISOs are bombarded daily by unsolicited vendor inbounds.  Surely most instances are nonessential and under-deliver.  But the thoughtful leader resists the easy temptation to simply dismiss outright every inquiry, without even giving an honest cursory look.  This cyber ecosystem of ours is a massive paradigm shift regarding old and new ways of doing business.  A disruptive market no doubt breeds (inspires) new disruptive digital security products and services. Indeed I have been witness on several notable occasions to security leaders taking an educated leap rolling new-to-market security product on to their platform . . . and winning.

The good leader is intellectually curious.  It is this curiosity that enables her/himself to be open to new ideas, even in the face of overwhelming intellectual rigidity by those surrounding her/him . . . and of her/his own preconceived notions of what should/should not work.  It takes courage and clarity of vision to be first to market; it’s easy to follow.  With calculated risks, based on good albeit imperfect information, come the occasional wrong turns. The front of the pack leader accepts there will be mistakes; she/he is not stymied nor frozen to inaction by this.  Rather she/he embraces forging new ground, and operates with the confidence that any mistakes will be relatively small and manageable.

Perhaps the single most important continuing action exceptional security leaders do, away from core security requirements and taskings, is identifying and developing the key successor leaders on their security bench. This is critical . . . to forging operational continuity in the face of budgetary constraints and an extended talent shortfall.

We’re in the midst of significant and prolonged transformational growth across the digital security landscape.  And with this, unfortunately but predictably, we’re experiencing a stark talent shortfall across critical corporate security functions, from the CISO/CSO on down.  The war for cyber talent has created two realities; it has helped (in part) elevate the digital security function to strategic/C-suite level—a good thing for sure, for the good of the organization—and with this we find that compensation is at a prohibitive premium.  Well-resourced companies can absorb this anomaly; but many more simply do not possess the means to ‘do whatever it takes’.  And so they have to look internally; and build on what they already have.  What I’ve outlined above is a practical guide to go about doing just that.

Assessment . . . Advisory . . . Development . . . Mentoring