With 25 years of experience working with security teams, I have had the fortune to witness both successful security programs as well as dysfunctional ones. Consistently, effective security programs have strong leaders.
So, what makes a great security leader? It is not hacking skills or the ability to drop to command line. While technical skills for leaders are beneficial in building credibility, leadership is more about working with people, than encryption protocols. I cataloged ten qualities that great security leaders tend to embody.
Successful security leaders always seek ways to enable people to effortlessly follow good security practices. They listen and show genuine concern and empathy for co-workers. They work diligently to build security controls and practices that balance the needs of the organization with the needs of everyone. They earn the respect of their organization through engagement and collaboration.
Conversely, unsuccessful security leaders are distant. They are either “enforcement-minded” tyrants who demand authority or glad handlers who care only about who they know. They do not earn respect which makes people dislike them and bypass their security policies.
Security works when everybody shares a common vision and goal. Successful security leaders share security plans and ideas freely throughout the organization, preferring transparency over secrecy. When they cannot share, they are open about the reasons why information must be kept private.
Unsuccessful security leaders shroud their efforts in secrecy and refuse to share. This is usually because they lack confidence in themselves and fear being exposed for their weaknesses. Their secrecy and isolation erodes trust and fosters suspicion among co-workers.
All great leaders have a clear vision for the future. Successful security leaders regularly express this vision and anchor it to the organizational mission.
On the other hand, unsuccessful T security leaders ignore the big picture. They focus on checking off requirements or “making problems go away,” typically because they do not know how to integrate organizational goals with security needs.
Successful security leaders cultivate high-trust environments. Security is ultimately about who and what you can and cannot trust. Building a solid security program means having a clear set of trust expectations and holding people accountable to those expectations. When trust is broken, the relationship (whether it is personal or technical) is severed. High-trust environments do not need heavy-handed enforcement, as they naturally adhere to good security protocols.
Immature security leaders are paranoid and adopt a “trust nobody” mentality. This creates an environment of hostility, secrecy, and aggression which erodes trust and cultivates resentment toward security protocols.
5. Vendor Savvy
Successful security leaders build a security operations practice that maintains a healthy and respectful relationship with technology vendors. The acquisition of new technologies is a based exclusively on detailed business requirements. Successful leaders also pay very close attention to the total cost of ownership of new technologies, including the resources necessary to operationalize and manage technology. Sales people from vendors or resellers are kept at a distance and not allowed to manipulate the security team’s focus.
Conversely, unsuccessful leaders are always grasping for the newest technologies, but rarely make the effort to integrate them. Vendor sales people easily manipulate them into buying technologies that are beyond their maturity level, ultimately leading to wasted resources.
Great leaders keep their security efforts focused on threats that are most likely to affect the organization. Consequently, they build rational strategies to reduce the likelihood or impact of those threats.
Unsuccessful security leaders are obsessed with extremely unlikely, sensationalist threats, like medical device hacking. They will use these sensationalist threats as justification for implementing outlandish practices or controls which distract the organization from the real safeguards they need.
7. Higher Calling
All great leaders have a higher calling, this is no different for security leaders. There is more at stake than just defending the business or meeting compliance regulations. Successful security leaders ground all processes, practices, and controls in the values of the organization. When new practices are needed, they are developed to align with the values, not in spite of them.
Weak leaders lack a higher calling. Security is just another job for them. All they care about is passing audits and protecting their image.
8. In the Game
Security is a game of details and complexity that demands constant vigilance. Great security leaders are regularly involved in the daily, operational details of their security program. They routinely collaborate with their team on the technical details of controls like firewalls and intrusion detection systems. Moreover, they not afraid to jump in and coach the team when appropriate.
Meanwhile, the weak security leaders are always too busy attending meetings, conferences, or vendor lunches to be bothered with the daily routine of protecting their organization. When they attempt to get in the game, it is disingenuous and micro-managerial, which leads to resentment and frustration among the team.
9. Risk Management Mindset
While great leaders have an intimate relationship with failure, great security leaders have an intimate relationship with risk. They understand that risk is a normal part of the job. They have a proper view of risk, as an assessment of threat based on reliable data. These leaders consistently work to understand, contain, and manage risk using tangible and practical controls.
Weak security leaders are afraid of risk and the discomfort it causes. They seek out “silver bullets” to risk with the promise “peace of mind” rather than actual elimination of risk.
10. Crave Feedback
Building a strong security practice requires relentless testing and evaluation of the effectiveness of controls and practices. Successful security leaders aggressively evaluate their security with thorough, independent, and detailed testing. Every penetration test or audit is seen as a chance to improve and mature.
On the other hand, unsuccessful security leaders are ultimately insecure about their program and do not want honest feedback. As such, they seek out testing vendors with a reputation for being quick and inexpensive. They prefer “checkbox audits” using on-line portals rather than honest assessments from skilled practitioners.
Ultimately, great security leaders are people whom you can trust. They do not brag about their time at BlackHat or foam at the mouth about the latest hack. They are rational, reasonable people who are always learning, growing, and striving to improve themselves and the quality of their organization.