I’m kicking off my blog series, “Perspectives From A Former CISO,” with my thoughts on leadership. The series will pull from my experiences as a CISO and those of my peers. To be clear, I don’t purport to have the all the answers but did learn a thing to two during my tenure leading teams over the past 28 years. Under my 10-year watch as CISO/CSO, I had an extraordinarily dedicated and tenured team and very low turnover — something almost unheard of in security.
Are there things I could have done better? Absolutely. Are there things I should have done differently? Without a doubt! However, I’d like to think I got a few things right along the way, and that’s the subject of today’s blog. Below are some of my core leadership tenants.
Follow The Golden Rule
Treat your team and employees the way you want to be treated. Sometimes the simplest concepts are the most powerful. Put another way, be the leader you would want. Stop and ask yourself how you would feel in a given situation and what would you look for from your manager; let that inform your actions.
Knowing what kind of a leader you don’t want to be can be just as impactful, if not more so. Jeff Pollard lays out six types of CISOs in his report, The Future Of The CISO — which type most closely matches with you or who you aspire to be? Also, be observant. I always learned not just from those I worked for, both good and bad, but those around me as well. See how teams react to certain actions and or behaviors.
Understand That We All Make Mistakes!
Making a mistake is one thing, but how you handle it is another. Admitting it when you make a mistake can be uncomfortable; however, taking ownership and apologizing when needed can have a big impact on those around you. Your team will respect you for it, and it shows you are not infallible.
What doesn’t work and sows discontent is sweeping mistakes under the rug, pointing fingers, or (even worse) lying about it.
Sometimes it’s best to bring a beginner’s mind to situations. Regardless of your tenure, you can approach relationships and situations with the openness of a CISO in their first 100 days in a new role or organization.
Be A Decent Person
Closely tied to the Golden Rule, be a decent person, not just when things are fine; in fact, it’s most important when things are not ideal or okay. Case in point, I had a long-tenured employee whose spouse had a serious medical condition. This required frequent trips to the doctor and the hospital as well as extra time to generally help whenever he was needed. This individual was one of my hardest-working, most dedicated team members. He frequently worked late and on weekends, so anytime he needed time, my answer was always, “Of course!” When I departed the company last year, he made a point to tell me how much that really meant to him and his wife.
Perhaps this seems simple or obvious but, unfortunately, there are plenty of leaders out there who don’t handle situations like that well. Instead, they cite company policy chapter and verse. Yes, you need to work within the confines of said policies, but logic and common sense combined with empathy go a long way to building trust and dedication.
Praise In Public And Criticize In Private
This one carries a tremendous amount of weight. Calling people out in meetings is demoralizing and demeaning. This a particularly caustic behavior that I have seen firsthand kill morale and lead to good people exiting the company. If you need to address an issue with an employee, do so one-on-one. Even then, choose your words carefully and based on the desired outcome you are hoping to achieve.
Trust Your Team — Don’t Micromanage
Assuming you have the right people in the right roles, trust them to do their job! If you can’t, then one or both of the aforementioned are invalid. I never micromanaged my team. I was there to provide advice, set direction, clear hurdles, enable them, and help them succeed. That doesn’t mean you don’t do a deep dive or ask questions when needed, but there is a difference between that and being too far in the weeds. Not to mention, if you are spending all your time micromanaging your team, when are you focusing on your goals and priorities like working with your peers in the business, working with sales, and advancing the visibility and maturity of the program?
Know That Not Everyone Wants Your Job
Some folks are genuinely happy in their role and the position they are in, and there is nothing wrong with that. Not everyone wants to climb the corporate ladder or wants your job. However, that doesn’t mean you shouldn’t challenge them or provide opportunities for advancement in individual contributor roles. Jess Burn addresses this in her report on security succession planning. I had an engineer who I knew had the skills to manage a team. They were, understandably, reluctant to make the switch. I armed them with all the information, good and bad, and let them make the decision. I was very clear that either choice was acceptable and, more to the point, if they decided to stay in engineering, it wouldn’t be detrimental to their career.
While a lot of what I covered in this blog may seem like obvious — perhaps even basic — advice, I can’t tell you how often these simple concepts aren’t followed, especially when things aren’t going well. I have witnessed a profound lack of the above and the detrimental ramifications on team and company culture, individual and team performance, and employee tenure.
As I stated in the beginning, I didn’t always “nail it” myself. I could have done better at all of the above, among other things. But I was blessed with a phenomenal team, and I’m thrilled to be working with yet another phenomenal team — one that I was closely tied to in my former role.
What’s different about Forrester’s Security & Risk research is that the entire stream is dedicated to security leadership and helping CISOs be effective in their roles. The Forrester High-Performance Security Program Model distills basically everything I’ve mentioned above into six actions to embed security into the foundation of the business. Check it out and stay tuned for my next installment in this series, and for great research on the role of the CISO, look to Security & Risk analysts Jinan Budge, Jess Burn, Jeff Pollard, and Madelein van der Hout.