Chapter 1: Rethinking Cybersecurity Leadership

In my extensive journey through the cybersecurity landscape, the discourse surrounding the role of cybersecurity leaders has been persistent. Questions abound: What roles should security encompass? To whom should a Chief Information Security Officer (CISO) report? Should a proficient CISO prioritize technical prowess or business acumen? What defines a security leader, and how can they ascend to the C-Suite—and remain there? What does effective cybersecurity leadership entail?

Photo by Austris Augusts on Unsplash

While some CISOs enjoy prominent recognition, often in large, publicly traded companies with substantial security budgets and compensation packages, the reality for many security leaders is starkly different. These leaders engage daily in budget negotiations, mentor their teams, and encourage their stakeholders to prioritize security. They may not occupy executive positions, and often face overwhelming stress, with compensation far from extravagant.

The paradox of security leadership lies in the constant focus on security measures—where to implement them, how to assess their efficacy, and where to accept risks. Although responsible for an organization’s security posture, leaders often lack control over critical organizational decisions. They can manage their teams and oversee certain functions, yet the budget remains outside their purview, and crises often fall under the jurisdiction of other leaders with distinct priorities.

Photo by Tingey Injury Law Firm on Unsplash

Many in the cybersecurity field are hopeful for regulatory changes that could elevate the CISO role, perhaps by mandating their presence in executive suites or on boards. They await a shift in mindset from organizational leaders who might recognize the significance of security functions and invite the CISO to strategic discussions. This desire mirrors the hope for a standardized set of guidelines akin to Generally Accepted Accounting Principles (GAAP), which could be termed Generally Accepted Security Principles (GASP). However, even with such principles in place, compliance would merely scratch the surface, leaving risk management in the hands of organizational leaders rather than security experts.

What should a security leader do in this context?

Recently, I sought insights from my social media followers regarding their motivations for pursuing careers in security. The responses varied across platforms, yet common themes emerged: a desire to help others, enjoy a diverse range of tasks, continual learning, and a profound appreciation for their teams and the cleverness of adversaries.

These insights reveal a crucial aspect of effective security leadership: rather than leading in a conventional manner, a security leader should adopt a supportive approach. This involves prioritizing the growth and development of team members, partners, and customers, ultimately enhancing the organization’s security and resilience.

In practical terms, this approach might involve:

• Collaborating with asset management teams to improve tools and processes for better visibility across the technological landscape.
• Assisting development teams in creating secure, efficient coding environments to eliminate the need for insecure workarounds.
• Conducting simulation exercises with executives and incident response leaders to prepare them for real incidents, promoting effective response rather than reactive chaos.
• Maintaining open communication with vendors to clarify needs and expectations, fostering a productive partnership.
• Ensuring seamless integration of vulnerability scanners and ticketing systems for clearer issue resolution.
• Educating recruiters on the skills and attributes to seek when hiring security personnel, streamlining the recruitment pipeline.
• Providing security teams with access to on-demand training to keep pace with evolving security challenges.
• Supplying metrics and reports to senior leaders to facilitate informed risk acceptance decisions.

Being a security leader means recognizing that involvement in critical decision-making rooms will be rare. Risk-related decisions occur daily in various contexts, making omnipresence impossible.

While we can hope for legislative advancements that elevate security roles, the reality remains that genuine change may be slow. To truly succeed as a security leader, one must empower others to take on leadership roles themselves, equipping them with the necessary resources and skills to make informed choices—and then allow them the space to act, even if it leads to failure. Embrace the concept of leading from behind, akin to a coach or mentor, and celebrate their successes as your own.

Chapter 2: Cultivating a Culture of Security

In the first video, "Achieving Cybersecurity Velocity: The Role of Culture and Leadership for Operational Excellence," the discussion centers around how cultural elements and leadership strategies can drive effective cybersecurity practices.

The second video, "How Do Cybersecurity Leaders Evolve Together in a Fast-Changing World?" explores how cybersecurity leaders can adapt and grow amidst rapid changes in the industry, emphasizing collaboration and shared learning as keys to success.