What makes a successful IT security leader? Intelligence, experience, integrity? With 20 years of experience working with security people, I’ve had the fortune to see both highly successful security programs as well as highly dysfunctional ones. The successful teams overwhelmingly have a common set of qualities, which are often common to great leaders in other positions as well.
However, it is important to note that “successful” does not necessarily mean working at a large company or having great fame. Some of the most successful security groups I know have modest budgets and minimal fame. The ultimate measure of a successful team is how well they protect the business and its information assets.
In this article, we look at the top ten qualities of successful IT security leaders, as well as contrasting those qualities with the behaviors of unsuccessful or immature leaders.
Qualities of Successful IT Security Leaders
- Enablers – Successful IT security leaders always seek ways to enable people to effortlessly follow good security practices. They listen and show genuine concern and empathy for co-workers. They work diligently to build security controls and practices that balance the needs of the organization with the needs of each individual or team. They earn the respect of their organization through engagement and collaboration. Conversely, unsuccessful IT security leaders are distant, “enforcement-minded” practitioners who demand the authority to force people into compliance. They do not earn respect which ultimately makes people dislike them and bypass their security policies.
- Transparent – Security works when everybody shares a common vision and goal. Successful IT security leaders share security plans and ideas freely throughout the organization, preferring transparency over secrecy. When they cannot share, they are open about the reasons why information must be kept private. Unsuccessful IT security leaders shroud their efforts in secrecy and refuse to share. This is usually because they lack confidence in themselves and fear being exposed for their weaknesses. Their secrecy and isolation erodes trust and fosters suspicion among co-workers.
- Visionaries – All great leaders have a clear vision for the future. Successful IT security leaders regularly express this vision and anchor it to the organizational mission. On the other hand, unsuccessful IT security leaders ignore the big picture. They focus on checking off requirements or “making problems go away,” typically because they do not know how to integrate organizational goals with security needs.
- Trustworthy – Successful IT security leaders cultivate high-trust environments. Security is ultimately about who and what you can and cannot trust. Building a solid security program means having a clear set of trust expectations and holding people accountable to those expectations. When trust is broken, the relationship (whether it is personal or technical) is severed. High-trust environments do not need heavy-handed enforcement, as they naturally adhere to good security protocols. Immature IT security leaders are paranoid and adopt a “trust nobody” mentality. This creates an environment of hostility, secrecy, and aggression which erodes trust and cultivates resentment toward security protocols.
- Vendor Savvy – Successful IT security leaders build a security operations practice that maintains a healthy and respectful relationship with technology vendors. The acquisition of new technologies is a based exclusively on detailed business requirements. Successful leaders also pay very close attention to the total cost of ownership of new technologies, including the resources necessary to operationalize and manage technology. Sales people from vendors or resellers are kept at a distance and not allowed to manipulate the security team’s focus. Conversely, unsuccessful leaders are always grasping for the newest technologies, but rarely make the effort to integrate them. Vendor sales people easily manipulate them into buying technologies that are beyond their maturity level, ultimately leading to wasted resources.
- Practical: Great leaders keep their security efforts focused on threats that are most likely to affect the organization. Consequently, they build rational strategies to reduce the likelihood or impact of those threats. Conversely, unsuccessful security leaders are obsessed with extremely unlikely, sensationalist threats, like medical device hacking. They will use these sensationalist threats as justification for implementing outlandish practices or controls which distract the organization from the real safeguards they need.
- Higher Calling – All great leaders have a higher calling, this is no different for IT security leaders. There is more at stake than just defending the business or meeting compliance regulations. Successful security leaders ground all processes, practices, and controls in the values of the organization. When new practices are needed, they are developed to align with the values, not in spite of them. Unsuccessful leaders lack a higher calling. Security is just another job for them. All they care about is passing audits and protecting their image.
- In the Game – Security is a game of details and complexity that demands constant vigilance. Great IT security leaders are regularly involved in the daily, operational details of their security program. They routinely collaborate with their team on the technical details of controls like firewalls and intrusion detection systems. Moreover, they not afraid to jump in and coach the team when appropriate. On the other hand, unsuccessful IT security leaders are always too busy attending meetings, conferences, or vendor lunches to be bothered with the daily routine of protecting their organization. When they attempt to get in the game, it is disingenuous and micro-managerial, which leads to resentment and frustration among the team.
- Respect Risk – While great leaders have an intimate relationship with failure, great IT security leaders have an intimate relationship with risk. They understand that risk is a normal part of the job. They have a proper view of risk, as an assessment of threat based on reliable data. These leaders consistently work to understand, contain, and manage risk using tangible and practical controls. On the other hand, unsuccessful IT security leaders are afraid of risk and the discomfort it causes. They seek out “silver bullets” to risk with the promise “peace of mind” rather than actual elimination of risk.
- Crave Feedback – Building a strong security practice requires relentless testing and evaluation of the effectiveness of controls and practices. Successful IT security leaders aggressively evaluate their security with thorough, independent, and detailed testing. Every penetration test or audit is seen as a chance to improve and mature. On the other hand, unsuccessful IT security leaders are ultimately insecure about their program and do not want honest feedback. As such, they seek out testing vendors with a reputation for being quick and inexpensive. They prefer “checkbox audits” using on-line portals rather than honest assessments from skilled practitioners.
Ultimately, great IT security leaders are people whom you can trust. They do not brag about their time at BlackHat or foam at the mouth about the latest hack. They are rational, reasonable people who are always learning, growing, and striving to improve themselves and the quality of their organization.