Skip to main content

What is leadership anyways?

Security Leadership is what precisely? I ask the question because it is a concept I am wrestling with at this time. What does it mean to be a security leader? Is it merely leading a security department as an information security manager or at the enterprise level as a chief information security officer or chief security officer? Is it influencing an organization's security posture without having an official title?


Ultimately, leadership is about people. They said leadership is about getting people to work toward a common goal. The question is, are folks in those roles business leaders who are leading a technical portfolio, or are they technical leaders who enable the business to accomplish their goals?
It is likely security leaders are both, and often need to be both. They're technical leaders and business leaders. However, they require different leadership skills to be successful. The additional factor is what is the senior leadership need from their senior security folks. Answering this question is vital. The wrong person in this role can set by security efforts tremendously. If the top person can not influence or drive home importance of protecting the enterprise, it can lead to folks leaving. The prime example is the current White House Office of Chief Information Security Officer (OCISO).
Alexi McCammond got a hold of a memo written by a resigning Office of Chief Information Security Office. The author of the memo, Dimitrios Vastakis, was the former branch chief of the White House computer network defense.  Vastakis alleges in his resignation that senior leadership of the white house is pushing out staff members by "revocation of incentives, reducing the scope of duties, reducing access to programs, revoking access to buildings, and revoking positions with strategic and tactical decision making authorities." (McCammond, 2019)


This illustrates the need for understanding the organization's culture and how it might impact the security mission. Given the nature of this White House and the political climate, the security leaders who are responsible for this, probably need to have more persuasive political skills than someone who may work in the private sector. Some of the issues may be that the OCISO may be facing is part of the fact they were moved to reporting under the Office of the Chief Information Officer, reducing their access to the senior White House management. The potential impact of this is catastrophic as this office is responsible for protecting the president's information network.
However, if the security leaders can't provide a business justification for the organization to support the organization's security, they won't be effective in their job.  The other concern is that if the White House, which sits atop the Federal Government agency mountain isn't focusing on cybersecurity, how can we expect private sector organizations to do so.
This opportunity illustrates the importance of soft skills and their impact on cybersecurity. To get back to the original question of what is Security Leadership, I think it is the ability to influence the organization so the security department can support the mission. Many technically strong security folks will tell you the most crucial need of a security leader is their technical skills.
In many ways, this argument reminds me of the discussion around Steve Jobs and Steve Wozniack. As an Apple fanboy, many in my circle celebrate Steve Jobs as he was heavily responsible for Apple's initial creation of the eighties and the resurgences in the late nineties. Job's critics accuse him of profiteering on Wozniack's work. While it is true, Woz built the original Apple computer, and I would argue that neither one would have succeeded without the other.


Indeed, Jobs' soft skills weren't the best, and I recognize that it was an understatement. It is one thing to be a technical wiz and build the better computer, but if no one buys it, then is it the better computer? Most people would say no. However, the cybersecurity department can build as many technical controls as they would like. Still, if the business is continually getting exceptions or working around the restrictions, then the controls are a waste of resources. Moreover, the company will encounter a tougher time in accomplishing its objective.
As junior and mid-level cybersecurity professionals begin to explore leadership roles in the security industry, I believe they will need to understand what leadership is. However, they will need to recognize their leadership style, their strengths and weaknesses, and what kind of organizational culture they will need to be successful leaders. Once they have identified those items, they should look for roles and opportunities where they can either train to improve them. These opportunities can include training around soft skills and business management. By continually learning and teaching about all aspects of the job, we can build a qualified and competent bench of security leaders for the future.

Comments

Post a Comment

Popular posts from this blog

Week 6: Spectre and Meltdown Fallout Continues.

By this time, many of you have heard about the Spectre and Meltdown vulnerabilities of which a lot of machines are susceptible. Most of the major parties involved have provided fixes through various patching means. However, there is still significant fallout due to this gap. Intel is now reporting their firmware patch is causing updates on some of the new chips they have produced. "Firmware updates were causing problems with Ivy Bridge, Sandy Bridge, Skylake and Kaby Lake." (Schwartz, 2018) This flaw is causing frequent reboots and instability in those chips. Additionally, Intel is behind in getting their firmware updates to the various vendors. Some of the major brands which are affected by these gaps are still feeling their way around this and trying to ensure they patch appropriately. It is likely we will see higher than normal OS updates for most folks when it comes to their computers, tablets, and smartphones. However, the big concern and part of the reason this g...
Post a Comment
Read more

Week 2 Blog: Apple's Recent Software Security Issues

Recently, my favorite tech company has been in the news for some very significant security gaps in their applications. Apple has long been branded as very secure software. Frequently, people will say they just don't get a virus. However, there was a security gap that impacted the Macs, which were using their latest software - High Sierra. This vulnerability allowed root access to any machine running this software. Various sites such as "The Verge" indicate using root to access these machines allow elevated privileges on the machine. It could be used to change Apple ID emails as well as user passwords. The gap presented a huge dent in Apple's reputation on security. Part of it was the way it was announced- the person who discovered the vulnerability publicly disclosed it on twitter. Interesting enough, Apple has a bug detection program in which they pay for any gaps in their software. Even more recently, a new vulnerability was discovered in Apple's Home Kit...
Post a Comment
Read more