The role of the modern-day security leader has changed quite a bit over the years, and that’s primarily tied to the evolving threat landscape, coupled with advancements in technology. But when you focus solely on leadership, have today’s security leaders managed to step up to the plate and deliver on that aspect when compared to other areas tied to the role? One industry veteran and current infosec leader doesn’t seem to think so.
There are examples of great leadership in security throughout the globe, but for the most part, there’s a lot of work to be done for today’s security leaders to create an “ideal state” for their security departments, and it’s not all on them, according to Malcolm Harkins, chief security and trust officer at Cylance.
InfoSec Insider recently caught up with Harkins before he heads to Jacksonville, Florida for the big IT Security Leadership Exchange, where he’ll be presenting on this topic.
InfoSec Insider: At SLE your talk will be covering leadership. It seems like it’s a topic that you’re pretty passionate about based on your previous experience. You’ve seen how this space has evolved, especially from a management level. What about this topic attracts you to it?
Malcolm Harkins: Well, there’s two aspects to it. I’ve always been focused on growing my own leadership acumen. The application of that leadership skill, especially in the security space, for me holds an even heightened sense of purpose and passion because I believe the industry as a whole has lacked true leadership. I think that for a lot of CISOs there’s a leadership and business acumen deficit. One of the best definitions of leadership that I’ve come across is, “Leadership is the art of motivating others to want to struggle for shared aspirations.” It’s not about power, it’s not about authority.
When you dissect that definition, it’s a struggle and you have to get that shared struggle and aspiration. The talk that I’m going to give is based upon a leadership framework that I’ve created that’s evolved just as a result of my thinking over the decades. It’s around six simple words: I believe. I belong. I matter.
I’ve learned from myself a long time ago that as an individual—even individual contributor, first line manager, senior manager, and executive—that I am at my career best when I can say those six words. To curate commitment with each individual and their team, they have to create a culture and an environment where all of the employees can step back and say, “I believe in the mission. I believe in management. I believe in the peers that I work with. And I believe in myself. I feel like I belong here.” If you can cultivate that type of culture and communication and environment, and tie that to the work that people do, the rest of it is easy.
InfoSec Insider: Seeing as the role of the CISO has evolved so much over the years, how has leadership in your opinion not been a part of that evolution?
MH: That’s actually incredibly simple to answer. Leaders can distinguish motion from progress. Tell me if you think we’ve made any progress in the cybersecurity industry. At a macro level, we can say that we’ve made no progress, by and large. And a leader can distinguish motion from progress. And if we had true leadership, we would have distinguished that, and we would have changed what we’re doing and how we’re doing it to change progress.
There are certain parts of the industry that are starting to make real progress. There are also CISOs in organisations that are making real progress in their organisations. But, when you look at the aggregate risk and its continuing escalation as it’s spiraling out of control, we have a leadership problem.
InfoSec Insider: How much does emotional intelligence play into this?
MH: It’s a huge amount. If you think about the notion of, “I believe. I belong. I matter,” that’s all emotional intelligence. [Studies point to] the skills crisis getting worse. There are more turnovers. We have labor shortages. Some of this is because of tools and technology, but a lot of it has to do with the environment and the culture. Reports also indicate that CISOs leave their job because they don’t believe their management and their company cares about cybersecurity. If the broader organisations are not demonstrating that they care, then how does that affect the CISO?
The modern-day CISO has two battlefields: the external battlefield featuring threat actors that by-and-large they’re losing on, but the other battlefield is an internal battlefield of budgets, bureaucracies, and behaviors. Data points to roughly 40 percent of people who choose a cybersecurity profession or role choose it because of the morality of what they’re doing. They want to know that they belong. They want to know that they matter. And they certainly want to believe in it. The other 60 percent might be a bit more dollar driven, but HR data points to a raise is less important than meaningful work and working in an environment that you like.
InfoSec Insider: It sounds like the lack of leadership is a major component that’s fueling the talent shortage and talent gap that’s impacting the industry. Would you agree?
MH: I totally agree. But, let’s think about it. Why do we have that multi-million labor shortage? On one hand, risks are growing and organisations haven’t funded it. But the other view is to look at it and say, we have created a labor shortage because we haven’t done a good job of stopping the risks. Because most of those jobs are doing threat detection and staffing a security operations center. Our labor shortage has been created because we’ve done a [poor] job of managing the risk.
Take this analogy into account. Let’s say that the U.S. faced a crisis involving a labor shortage of firemen. Is that because we haven’t done good fire prevention? We’ve created an environment where we have too many fires because we haven’t done good fire prevention, therefore we have a fireman shortage. A lot of our labor issues would be resolved if we did a better job of controlling risks.
InfoSec Insider: What does the “ideal state” look like for a security organisation from an interpersonal standpoint?
If you have that environment, it then becomes a bit easier for the head of security or information risk to be able to create a sense of the day-to-day work for the team. Do I believe in the CISO and the CISOs management team that they’re going to help us do our best job to manage and mitigate these risks for the organisation and our customers? Are they the type of management that is authoritative? If you have that type of approach, you’re not going to make folks feel like they belong. You have to create the culture and environment. By and large, the fulcrum of that whole aspect of this sits with the senior executive running security.
InfoSec Insider: What are a few areas that up-and-coming security leaders can do to put themselves on the right track to reach this ideal state?
MH: First you need to do your own self-exploration. “I’m the CISO. Do I believe? Do I feel like I belong? Do I feel like I matter?” That has to be number one. Step two is, as a part of your resolution, if you don’t feel that, be open and transparent with at least your first-line leadership team and get them to do that self-assessment. Then between you and that leadership team go and have that conversation with the front-line staff and figure out where they’re missing in some of those things. You have to do that type of assessment with yourself, your leadership team and the individual contributors. My guess is when people do that they will find linearity to what’s causing the problem and now that the leader has done the self-assessment, done it with the management staff, and done it at the individual contributor level, they then have the data to fix any issues. But just having that dialog with them will start creating the culture of “I believe. I belong. I matter.”