In my last piece, I discussed 10 signs of a poor security leader. I was glad to see that the piece resonated with people. The two main types of feedback I received were:
- These signs don't merely apply to security leaders — they apply to all leaders. (This is indeed the case, though since my experience is mainly in the security field, I didn't want to suppose and generalize without firsthand evidence.)
- It would be good to write a piece in the positive — 10 signs of a strong security leader. (I agree.)
So how can organizations know and appreciate when they have a strong security leader in place? Here are the top 10 signs.
1. Strategic thinking and planning: Security organizations need guidance and direction from a strong leader. That leader should prioritize the risks and threats that are of the utmost importance to the business and then devise a strategy to mitigate those risks and threats. That strategy should result in a number of initiatives designed to improve the security posture of the business. The security team should gear up to implement those initiatives, staying true to the strategy and plan along the way.
2. Slow and steady wins the race: A strong leader brings a strategic and methodical approach to security. With that approach, progress can be made toward goals and objectives. This means staying focused, even when a bright, shiny object comes into view. As tempting as it may be to run after that new distraction, it will only serve to impede progress on what the security organization has decided are its most important areas of focus. Of course, the team should adjust course as necessary, in an informed manner, based on data. What they shouldn't do, however, is pivot frequently based on the item du jour.
3. Everything is well-documented: I had a boss once who said, "If it isn't written down, it didn't happen." He was absolutely right. Whether it be a strategy, plans to implement strategic initiatives, processes, playbooks, or anything else, everything should be well-documented. The strong security leader will instill a culture of openness and transparency that will encourage the security team to document things well. This is not only good for morale and for the security posture of the business, it has the added benefit of allowing for policies and processes to be reviewed and constructively critiqued so they can be improved.
4. Actions speak louder than words: Lots of people can talk the talk. But how many people can walk the walk? A strong security leader knows they will be measured by their actions and the results they bring, rather than the words they speak. As such, they are pragmatically focused on moving the state of the security program forward on all fronts. They show their leadership, strategic thinking, and ability to plan and execute well through action rather than words.
5. Excellent communication skills: Good ideas, great plans, terrific accomplishments, and significant progress cannot help the security team show its value unless they are communicated well. A strong security leader understands this and spends time understanding different issues and topics in depth. They use this understanding to accurately and effectively communicate as necessary to ensure that the security team's efforts are understood well, that the business understands how and why to cooperate with security, and that the team's accomplishments are appreciated.
6. Nurtures and promotes talent: Great security organizations have great people. Great people stick around a security organization when they believe in the mission, when their skills continue to develop, when they are challenged with interesting work on a daily basis, and when they have confidence in their leadership. A strong security leader creates this type of environment to nurture and promote talent. This allows them to build great teams.
7. Selflessness: A strong security leader puts the team and mission first. They are selfless. They take the blame when something goes wrong, and they give the team credit when something goes right. This noble conduct goes a long way toward building confidence among the security team and across the broader business. It also inspires others to give of themselves for the good of the team and the mission.
8. Makes decisions in a timely manner: It is not always easy to make a timely decision. We don't always have all the information we might want in order to make a decision. We also don't always know whether we are making the right decision. A strong security leader understands that indecision creates an environment of paralysis, which is never good for the security posture of the business. As such, they take educated, calculated risks and make tough calls for the good of the team.
9. Answers any questions directly: Some questions are tougher than others. No matter how tough the question, however, a strong security leader knows it needs to be answered directly. This creates an environment where truth and transparency are the prevailing winds and where any questions, even the tough ones, can be asked. That type of environment is a critical part of a solid security program.
10. Gives credit: Strong security leaders aren't worried about getting press and lauds for their actions and accomplishments. They are happy to let the data, numbers, and results speak for themselves. As such, they aren't afraid to give credit where credit is due, whether it be within the security team or elsewhere in the business. This, in turn, builds trust and encourages people to work on what the security leader deems important. All of that is good news for the security organization as it works to improve the security posture of the business.
In the time of the Great Resignation, organizations can control some factors that contribute to losing employees. By looking for and retaining strong leaders within their security teams, organizations can grow and keep a motivated and fulfilled security team. This facilitates lowering the rate of attrition to a manageable level and helps security teams work more effectively to improve their organizations' security posture.