The qualities of high performing security staff

The speed and reliability at which a CISO can deliver a security strategy depends heavily on the culture and characteristics of the teams and individuals that make up the security organization. It is for this reason that attracting and retaining highly effective security folk is paramount in order to build and run a security organization that is able to deliver what the business wants, in a world where businesses are increasingly wanting more from their security teams.

So what makes for a high performing security folk? I was talking to another CISO the other day who said to me; “some of my best security hires have been people from non-security backgrounds”. I’ve also observed the same thing. Why is that? Well these people often come into the field with a set of soft capabilities that are as equally important as typical security technical skills. These soft skills are what allow them to really make an impact in the security space. So what are these ‘soft skills’?

After hiring & managing performance in this space for a while, in my observation, some of the key soft factors for success are the following traits in no particular order:

Care & ownership

The first trait is to have a high degree of personal accountability & care. This deserves a blog post on its own, but a few examples that come to mind are:

Taking care to perform work to a high standard. This is not just about ensuring that processes are followed correctly, documentation is well written and that communication is effective, it’s also about going demonstrably above and beyond to serve & support other stakeholders.

When mistakes are made – If a failure occurs, take ownership immediately. Shifting blame or excuse making is going to end badly for everyone involved. Taking ownership for our own failures shows that our primary interest is in learning from mistakes – rather than hiding problems. The organization and the team can only win if we collectively own our mistakes both as individuals and as a team.

Pragmatism

Deciding what not to do is as important as deciding what to do.

This is about taking the path of least complexity and being realistic about what is possible and how it can get done. Sometimes things can be done quicker and more efficiently if we give it more thought. Sometimes, we have to make hard decisions to say “no” to something in order to succeed.

In practice, this could be about accepting that businesses are rarely in a “blue sky” situation and rather than investing energy in making the impossible possible; focussing on changing the things that we have control over. Over the course of my career, I’ve seen engineers invest too much emotion into wistful thinking and less emotion into accepting reality and getting on with solving the problems that we can control. Being heavily grounded in reality is important. That’s not to say that we shouldn’t be visionary – to the contrary – vision is essential if we want to succeed, however vision and reality need to work together, not against each other.

Optimism

Is the glass half-empty or half-full?

Putting aside the security context for a moment, it has been scientifically proven in psychology studies that people who face challenges with optimism will be more likely to succeed in overcoming those challenges; those who face challenges with default pessimism will be more likely to fail.

An optimist will always seek to make something good, even in a bad situation and scurity can potentially be overwhelmingly negative if we allow it to be. It’s not good when you see a security culture that is underpinned by a persistent sense of pessimism – this is demoralizing and unsustainable.

Those who succeed in the security space, in my experience, are those who come into work with a sense of implicit optimism and their optimism is applied to their work; spread across various projects, team interactions and whatever challenges that they may face throughout their employment.

Courage & Fearlessness

What are you looking at – a mountain or a molehill?

Sometimes people get hung up on “big problems” when in fact solving the problem is not as quiet as insurmountable as it may seem. Sometimes anxiety can get in the way and create a bigger-than-neccesary psychological barrier.

Security is full of all kinds of challenges and pitfalls and so this is not to say that we should be willingly naive about the impact of threats and risks, but rather that we should be prepared to face them fearlessly, without intimidation. Being educated about the risks is important and fearlessly seeking to solve problems & mitigate risks is equally as important.

Organization

Delivering any project, large or small, requires some level of personal organization and those who are exceptional at organization tend to be exceptional at delivering larger pieces of work or strategies.

This is especially important in security for two reasons; firstly security teams need to move quickly and this is more likely to happen when they are well organized. Secondly, security risks are complex, touching on so many facets of an organization and that kind of breadth can’t possibly be managed effectively without some level of organization.

So having the ability to reach out, grab complexity and chaos and seek to simplify it by structuring it quickly is a really important attribute; I’ve seen some people do it faster than others and subsequently bring more effective and lasting change to an organization, faster.

Communciation

Communication is like a magic wand and some people wave the wand to great effect. How we communicate directly impacts the ability of an individual, a team and the whole organization to succeed. Some examples of excellent communication include:

The ability to listen.
The ability to communicate technical concepts in a simple way – this is especially important when communicating to non-technical stakeholders.
The ability to communicate risk in a way that the audience understands and appreciates
The ability to actively manage perceptions of stakeholders and staff.

Humility

Treats the janitor with as much respect as the CEO.

Those teams that move quickly and get more done are teams that embrace and support diversity and psychological safety. A key ingredient for psychological safety is to have people who are not invested heavily in defending their own self-importance but rather are genuinely interested in the success and growth of others and are willing to learn from others. For this to happen, humility needs to exist.

In practice, people who exhibilit humility are more willing to listen and take advice from the team and seek to empower the team as a whole. They are more likely to be a supportive and helpful presence when something goes wrong and they are far more likely to build trust with others because less effort is invested in protecting self-importance which can be an inhibitor for building trust & collaboration.

Transparency

For a team to be able to make informed and effective decisions quickly, a high degree of transparency needs to exist to allow information to flow freely. If an individual deliberately obfuscate’s to protect turf, perceived dignity or perceived reputation, this will slow or inihibit the flow of information which will degrade the ability to make effective decisions or even result in the wrong decisions being made and a wild goose chase unfolding. This is a nightmare scenario when resources are limited and pressure is high to move quickly.

The Security Organization

Over the coming months I’ll be writing a series addressing key challenges that CISO’s face – challenges that security folk typically don’t get trained on – and how I personally solve these as a CISO. I hope this will be a source of inspiration for other CISO’s and at the veorry least, a useful resource for others who are starting to move into this space.

I’ll be covering topics such as designing an organizational structure, optimizing the organization, effective strategy & planning, winning over the business, staff attraction & retention, the mindset of a CISO & much more.

Organizing the security organization

The first topic I want to consider is organizing the organization. For the purposes of this post, when I talk about “the organization” I’m referring to the teams that the CISO has line management of – not the rest of the business. As CISO’s we will typically end up running an organization which is made up of a number of internal experts & outsourced partners. I run an organization which is made up of experts in application security, penetration testing, cloud security, data privacy & protection, security operations, infrastructure security, compliance & assurance and more. Managing an organization is not – in and of itself – a unique task, however deploying an organization to reduce complex risk as ~ efficiently as possible ~ is nothing less than a work of art.

The challenge many CISO’s have is to ensure that the organization is appropriately structured in terms of size and capability in order to deliver the security & privacy strategy for the organization and its customers. The strategy will almost always include risk reduction which can manifest in a diversity of programs and initiatives across the business which impact the enterprise and any products or services sold by the business. In addition, a strategy may also involve ensuring that customers have true agency over their data (privacy), that customers have assurance in the services or products provided by the business and that investors know they are buying an asset that they can have confidence in. In practice, deploying an organization to facilitate these things can be a very complex task and so it is absolutely essential that the CISO is able to regularly assess the performance of their own organization to ensure it is optimally delivering value to the business.

So if keeping the security & privacy organization performing at peak is so important, how do we do it? In order to remain optimal, here are a few essential characteristics that the organization needs to be – or have:

Extrospection

The first characteristic is extrospection. The organization must be structured to systemically have a high level of awareness of the external environment. This can include awareness of external risks & threats, threat actors, industry trends, market competition, the broader organization, emerging technologies, modern architectures and so much more. This should be both an individual & cultural imperative and also something that is systematized across the organization. Without this information, the organization will fail to understand what threats are meaningful, what competitors pose a risk, what emerging regulations will impact the business, what industry trends can be exploited and how to effectively influence the broader organization – amongst other things. Without awareness of the external environment, the organization will lose its identity, purpose and grasp on reality and this will result in a failure to deliver the strategy and add meaningful value to the business. Unless such awareness is carefully systematized and infused in culture across the security & privacy organization, the outcome could become existential – for the business and/or the CISO!

Empowered

The organization needs to have the power it needs to carry out the strategy. In practice, this means the organization needs to be resourced appropriately, partnered well, that the right levels of governance, leadership and sponsorship are in place – and that the entire security organization has trust of the business. The CISO needs to ensure that no parts of the org are spinning wheels and that when spinning wheels are encountered the problem is quickly addressed so that the rubber can once again hit the road.

Trusted

Trust is not just something the CISO needs to build personally, it’s something that needs to exude from the organization. When partners, external stakeholders, customers or prospective employees look into a security organization, they need to feel they can trust it.

Engineering trust happens from the ground up – it doesn’t happen using the :wave hand: emoji. Trust is built every time you introduce or adjust a process; it’s built every time you implement or change a system; it’s built or lost every time you make a change to the organizational structure.

As a CISO, trust is scrutinized and subsequently won or lost with every single word you use and every single action you take. Likewise, this applies to the security organization overall. To use an analogy, the security organization has a ‘trust bucket’. Every day, the org is performing thousands of interactions per day with stakeholders (process & system interactions, staff communication, etc). Every interaction has an effect on your organization’s trust bucket. Either someone (ie. an individual or team) or something (ie. a process) is spending that trust – or they are earning it. As the trust bucket depletes, the level of noise increases, degrading the ability of the organization to meet its operational and strategic objectives. As the trust bucket fills, the reverse happens and the organization is celebrated.

A key ingredient I use for building a highly trusted organization includes attracting, retaining and building field experts/leaders who are effective communicators, humble (low-ego) and who embrace a culture of psychological safety.

Agile

The external environment is constantly changing; new threats, new vulnerabilities, new geopolitical challenges, new regulations, new frameworks. Not only this, the broader business will also experience changes in persuit of its mission. As these changes happen, the security organization needs to be able to pivot and adapt quickly in order to exploit both tactical and strategic opportunities. This is a working philosophy that individuals need to be personally invested in as well as something that needs to permeate the org structure & culture.

Agility & change is usually accepted more readily when the ROI is clear. Articulating the ROI is something that organizational leaders need to be in the habit of doing in order to drive the change that is needed.

Capable

The organization needs to have the right set of capabilities in place to support the delivery of the strategy. This is not just referring to technical or SME capabilities (which are important) but also soft capabilities such as the ability to communicate powerfully, the ability to influence, personal resilience and more.

Understanding who should do what, what capabilities are deficient and how to rectify this is something that only the CISO will need to have the final say on.

Tuned

Finally, the CISO needs to treat the organization like a living breathing organism – it needs constant care & constant tuning. CISO needs to understand current and emerging threats to the organization itself and also emerging constraints to any of the above to ensure they are managed before it is too late.

As part of this, CISO’s need to consider:

The management of the supply and demand of resources. There is a great article covering this here by GCP’s CISO Phil Venables which goes into a bit more detail on this in context of security budgets.
Regulate the speed of systematization – sometimes teams & services need more systematization, sometimes they need less. The CISO needs to ensure that the organization is maturing and growing at a practical and sustainable rate. Striking a balance of investment here is important. Doing things for the sake of doing them is wasted investment.
Ensure that the organization structure is actually delivering the outcomes needed by the business. Tracking this with metrics is a great way to monitor this. I’ll write a separate post later on what metrics can be useful in this context.

Dealing with stress as a security leader

Over the last few months I’ve been asked by multiple people how I deal with stress. This is no surprise – it is well documented that Chief Information Security Officers and many other security professionals have uniquely stressful line of work.

Security leaders have all kinds of challenges to deal with in the course of protecting their business and its customers. The stakes are especially higher when protecting not just information, but people’s lives and/or quality of life.

In order to be effective, security leaders need to manage risk in extremely complex environments. This responsibility can extend to managing teams, creating vision, inspiring change, negotiating with stakeholders, organising systems, people & work, planning how to execute on the vision and lots more. In so far as management goes, this is nothing particularly new.

However, security leaders have a pivotal role in protecting the organisation and its customers from crisis; cyber attacks have a way of choosing the least opportune moment to strike and when they do, security leaders are on the hook. Security leaders are scrutinised by their ability to protect and lead the organisation both from crisis and at a time of crisis.

To compound this, global security is declining. International cyber-crime groups are flourishing with impunity in places like Russia. Geopolitical alliances are sharply polarising with the risk of collateral damage of cyber-warfare spilling over and impacting western businesses. Both threats present a very real risk to western businesses, and the lives and livelihoods of people in the west.

So I reflected on the question that was posed to me – “how do you do it?”

For me personally, the last few months have been especially crazy. My wife has been in hospital several times. We’ve had a fourth child and we’ve had limited sleep. Believe it or not, that’s not the challenging part.

The really challenging part for us has been supporting our kids – we now have 4 children, two of whom are high functioning ASD. Anyone who has experience with ASD will be familiar with the hour by hour challenge of dealing with emotional dysregulation and typical challenges associated with challenged executive function. This can be relentless and thoroughly exhausting for the child/ren and the parents.

So in reflection, no shortage of stressors in my personal and professional life. So to answer the question, how do I manage it?

Perspective & purpose

What’s important in life?

For me it’s my family and my future. As much as I love my work and the team at work, I have a very clear purpose and future for my life that doesn’t include work. That’s not to say that I slack off at work – quite the opposite, I’m known for being motivated, focussed and hard working. But work isn’t the end-goal for me. I’m invested in doing a great job, but far more invested in my future & purpose. Unfortunately too many people conflate these things.

Meditation

I meditate every day – it clears my mind and brings me a profound sense of peace – even after a harrowing day. Meditation takes many different forms – my meditation consists of reading through the Bible, understanding it and and deriving meaning and purpose.

Allocating time to meditate is essential in order to have a mind that is clear and effective. Research has shown that meditation is especially helpful for anyone struggling with anxiety or other mental health issues which typically amplify stress.

Compartmentalisation

When I switch off work, I try to switch off properly. Research has shown that this is an extremely effective way of dealing with stress. I do this in a few ways.

I use the focus feature on my mobile phone to control who/what can contact or send me a notification and when. This does things like block calls during dinner time so that we can share an uninterrupted family dinner.
When I finish work, I leave my phone in my room and only use my Apple Watch for minimal interaction with notifications.
If I work after-hours, it’s usually only on the condition that it will not result in unmanageable stress or conflict with other personal matters which would otherwise increase stress.

Delegation

I push work to trusted individuals. If you haven’t built a team that you trust as a security leader, you need to build a trusted and competent team so that you can delegate. Building trust in your team can only happen if you have the right culture.

Prioritisation

Across the industry, security people often have XXX hours worth of tasks that need to be done in a day.

Constantly stepping back, and reassessing and splitting my work into 80/20 is important. I can’t do everything, so I pick what I colloquially call “the burning priorities”. Those that don’t make the cut get delegated to other trusted individuals and others I’ll defer or push back on.

Improving – or implementing – the systems and/or processes that are needed to manage the flow of work in the organisation is also an effective way to ensure that prioritisation and focus is correctly systematised.