Skip to main content

Gatekeeping and Security Leadership

Security Leadership is a topic that probably generates a significant amount of discussion amongst executives, consultants, and academics. In the interest of adding some new discourse, I'd like to discuss leadership and how authenticity, imposter syndrome, and various other social anxieties diverse security professionals may go through in trying to lead and impact this growing profession.
Most of the folks at the senior levels, which can impact these types of things, recognize there is an issue. The challenge in handling these issues lies in understanding how biases can influence decision making. The very idea of diversity and what it means is something Silicon Valley is working on trying to understand. The challenge is trying to understand what benefits or opportunities does diversity present to security. As leaders seeking to develop a leadership philosophy, we need to ensure we include this.
Recently, a quote Max Levchin, a founder of PayPal, gave when he was speaking to a class about starting a new company, began making the rounds. This quote, "The notion that diversity in an early team is important or good is completely wrong. You should try to make the early team as non-diverse as possible. There are a few reasons for this. The most salient is that, as a startup, you're underfunded and undermanned. It's a big disadvantage; not only are you probably getting into trouble, but you don't even know what trouble that may be. Speed is your only weapon. All you have is speed."
This statement begs the question - is it better to get to market faster, or is it better to have a diverse. Levchin would seem to argue for the former. However, the problem is that working with friends isn't scalable. As security leaders, our job is to identify and mitigate risk. Our very job needs, if not requires, diversity in thought to deliver that core aspect of our job.
Levchin goes on to describe a couple of situations where candidates were either hired and didn't work out or weren't hired because they didn't fit into the PayPal culture at the time. Levchin describes the culture at PayPal as an "odd mix of nerdiness + alpha maleness." While some have described this as one man's perception of building a company, this isn't just an average joe. Levchin is part of the "PayPal" Mafia and has developed other companies to varying success. It is likely Levchin’s view has been promulgated throughout Silicon Valley-based on his success in creating other companies.
Moreover, this perception and gatekeeping aren't alone to PayPal. Gatekeeping is defined as limiting access based on not belonging to a specific community or having a shared identity. Often this gatekeeping is used by various subcultures to ensure the purity of the subculture. The problem arises when these subcultures become the dominant culture in multiple enterprises and don't recognize their biases. These biases can even be shown by having people of color and women achieve more certification and education than their peers at the same level. "Minorities who have advanced into leadership roles often hold higher degrees of academic education than their Caucasian peers who occupy similar positions; of minorities in cybersecurity, 62% have obtained a master's degree or higher, compared to 50% of professionals who identified as White or Caucasian." This stat came from a study done by (ISC)² in partnership with the International Consortium of Minority Cybersecurity Professionals (ICMCP).
The same study states that 23% of people of color are in leadership roles. These roles are defined as Director Level or Above. If most of the leadership roles for security, which can affect the culture of the organization, aren't diverse, then why would middle management support diversity efforts?
The fallacy in assuming that those folks who are similar can deliver quicker is that there may be significant re-work because of thinking alike. Security professionals with different experiences, both professionally and personally, can build a better team and product. These folks can complement each other by seeing the short term and long-term processes and goals. While it is true that there will be potentially more conflict of an inner-personal nature, once these conflicts are resolved, the team should perform at a higher level. Levchin unwittingly even admits this. "It turned out that scaling up would be very challenging for PayPal because the 26-year-olds who were managing hundreds of thousands of credit cards didn't make all the optimal choices from the beginning. But there was great clarity in the early communications."
As security leaders, we need to recognize our own biases. First and foremost, this helps to staff our organizations with other security professionals who can help us to manage and mitigate risk. Additionally, knowing our biases can help us to lead better in different ways, such as interacting with external team members, identifying how to communicate better, and articulating risk in a better way. While our biases make us who were are, understanding them can ensure we are leading them in an authentic non-toxic way.

Labels:

Comments

Post a Comment

Popular posts from this blog

Week 6: Spectre and Meltdown Fallout Continues.

By this time, many of you have heard about the Spectre and Meltdown vulnerabilities of which a lot of machines are susceptible. Most of the major parties involved have provided fixes through various patching means. However, there is still significant fallout due to this gap. Intel is now reporting their firmware patch is causing updates on some of the new chips they have produced. "Firmware updates were causing problems with Ivy Bridge, Sandy Bridge, Skylake and Kaby Lake." (Schwartz, 2018) This flaw is causing frequent reboots and instability in those chips. Additionally, Intel is behind in getting their firmware updates to the various vendors. Some of the major brands which are affected by these gaps are still feeling their way around this and trying to ensure they patch appropriately. It is likely we will see higher than normal OS updates for most folks when it comes to their computers, tablets, and smartphones. However, the big concern and part of the reason this g...
Post a Comment
Read more

Week 2 Blog: Apple's Recent Software Security Issues

Recently, my favorite tech company has been in the news for some very significant security gaps in their applications. Apple has long been branded as very secure software. Frequently, people will say they just don't get a virus. However, there was a security gap that impacted the Macs, which were using their latest software - High Sierra. This vulnerability allowed root access to any machine running this software. Various sites such as "The Verge" indicate using root to access these machines allow elevated privileges on the machine. It could be used to change Apple ID emails as well as user passwords. The gap presented a huge dent in Apple's reputation on security. Part of it was the way it was announced- the person who discovered the vulnerability publicly disclosed it on twitter. Interesting enough, Apple has a bug detection program in which they pay for any gaps in their software. Even more recently, a new vulnerability was discovered in Apple's Home Kit...
Post a Comment
Read more

What is leadership anyways?

Security Leadership is what precisely? I ask the question because it is a concept I am wrestling with at this time. What does it mean to be a security leader? Is it merely leading a security department as an information security manager or at the enterprise level as a chief information security officer or chief security officer? Is it influencing an organization's security posture without having an official title? Ultimately, leadership is about people. They said leadership is about getting people to work toward a common goal. The question is, are folks in those roles business leaders who are leading a technical portfolio, or are they technical leaders who enable the business to accomplish their goals? It is likely security leaders are both, and often need to be both. They're technical leaders and business leaders. However, they require different leadership skills to be successful. The additional factor is what is the senior leadership need from their senior security...
Post a Comment
Read more