Much of SecurityWeek’s CISO Conversations series discusses how to be a leader. Here we start with a slight variation: how do you become a leader?
The CISO is the ultimate cybersecurity leader. He or she must lead the security team into battle against the stronger forces of cyber criminals and advanced threat actors; must lead the company workforce into a better understanding of cybersecurity and good security habits; and must guide the board into doing the right things.
This begs a fundamental question: what makes a good leader – is a good leader born or bred? That’s one of the questions we asked our two CISOs – Jennifer Watson of Raytheon Intelligence & Space and Mary Haigh of BAE Systems – for this issue of CISO Conversations dealing with the defense sector.
Jennifer and Mary are not the first women CISOs in the series, but this is the first time that both CISOs are women. It is worth noting that while more young women are breaking into technology careers, there is a greater ratio of women CISOs than women security engineers.
That leaves a massive elephant in the room – a question that I have often asked but never received a satisfactory answer. The intellectual difference between men and women is nil. Does this suggest that there may be something in the psyche or psycho/emotional make-up of women that makes them particularly suited to modern leadership roles?
What makes a good leader?
Raytheon’s Watson believes that true leadership evolves – or perhaps emerges – through a combination of experience and empathy. “I started as a hands-on-the-keyboard kind of person, coming up through the ranks and then moved slowly to the security world, and leadership.” This provides the background from which leadership can emerge.
To be a leader in industry, she says, you must have a close and detailed understanding of the business. “I think what really helped me be successful is having that hands-on experience and really being able to empathize with the people, the customers, and the end users that the business is trying to help.”
There’s that word ‘empathy’. The implication is that a leader needs to be able to combine a practical understanding of the mechanics of the business with an emotional understanding of all the people involved.
This perhaps gives us one clue into the relative success of women in leadership. We’re in an era – and security is an area – where the need for diversity is fully understood. Minorities are important within security staffing – but women themselves are one of these minorities. Does this imply that women have a head start over men in the empathy side of leadership, because they already understand the human problems?
“I believe leadership is something that can be learned,” said Watson, “but I do believe that it has to be in there somewhere. It’s about learning to follow first. You have to be able to do the job yourself before you can lead others.” For Watson, leadership qualities were probably innate.
“I’m somebody who is an active listener,” she continued. “I like to hear what people are saying, and I pick up on those things, and I’m able to connect with people at different levels. So, for me, I believe leadership was in there all the time, and it wasn’t something I learned.”
She believes that leadership is a quality she had naturally and subsequently encouraged and honed within her profession – but she does not believe that innate leadership is essential in learning to be a good leader.
BAE’s Mary Haigh has a remarkably similar view – mostly it can be learned, but partly it is in the nature of the person. “I think you can learn a lot of it. I think the bits that you’ve got to dig deeper come as you get into more senior positions. The more senior you get, the more self-aware you must be, and the more you’ve got to understand about yourself to be able to understand your own behavior and your own responses to things. Only then will you be able to understand other people’s responses to what you’re doing – and adjust and adapt and shift to get the best outcome. So, if you don’t have that habit of self-reflection and ability to understand yourself, you’re gonna need to learn that, and that takes some people longer than others.”
Interestingly, neither of our CISOs were willing to entertain the idea that women may have some psycho-emotional advantages over men in being a good CISO. Haigh simply stated, “I’m not a fan of stereotyping certain traits.”
Nevertheless, she added that one essential aspect of being a good CISO is knowing that you cannot know everything; and then raised the ‘imposter syndrome’ (the belief that you don’t deserve or have earned what you’ve got). “Men do suffer from the impostor syndrome as well as women, but it tends to be more prevalent in women. Women don’t feel they deserve the position as much, and that they’ve somehow got to work harder for it. A by-product of feeling you must work harder for it, feeling like you’re a little bit of a fraud, is that you work your socks off and you are aware all the time that you don’t know everything and are more willing to go out and ask the questions. And that is sometimes quite helpful. Maybe that’s a part of what’s made women more successful in this area.”
The advice from both Watson and Haigh is that if you have the drive and dedication, anyone can learn to become a leader – and that applies as much to men as women. Ultimately, being a good CISO has nothing to do with being male or female. As Haigh put it, “I didn’t get to be a CISO because of or in spite of being a woman – I got to be a CISO, full-stop. And that involved the support of a lot of men along the way.”
Being a leader in cybersecurity
Being a leader, born or bred, does not in itself make a good cybersecurity leader. Cybersecurity is like no other business discipline. It changes faster and further than most other disciplines. Security teams tend to be small but of higher-than-average caliber. And there remain remnants of distrust from the general workforce since the introduction of security inevitably introduces restrictions on the easy flow of work.
Being a CISO requires additional skill sets that need to be integrated into the leadership expertise. The first is a willingness, if not drive, to learn and keep on learning. The second is the ability to build, manage and engage high power teams. And the third is the ability to cultivate and utilize relationships, whether with other business leaders or the general staff.
“Build and use your network to help you,” says Haigh, “whether it’s testing ideas or sharing a problem or going up to a colleague and saying, ‘I don’t know a thing about this – I don’t understand it; can you help me out and explain it?’”
People love being asked questions like that, she continued, “so it’s kind of a two-way thing: they like it, it helps you, and you get to help them someday, so it’s all mutually beneficial.”
On relationships, she added a personal note. Her father recently died, but before he passed, he received many messages from people who had worked with him. “What was just amazing,” she said, “was how many said ‘thank you for your coaching, thank you for the friendly atmosphere that you created. There’s not a single one that said, ‘I’ll never forget the time that you increased our profit margin, or that you delivered that project two weeks early’. The legacy that he left from work was, ‘You created a great place to work; you created somewhere that was trusting and supportive and you taught me lots’.”
The lesson here is that leadership is about the people. Great relationships create great teams that deliver great results. But people and the CISO’s relationship with them are the bedrock.
“Cyber has lots of really tricky problems,” she continued. “There will be times when it goes horribly wrong. It’s in those moments you need your people to have the confidence to tell you it’s going wrong, and tell you the problem, and to believe you can help them sort it out. All those traditional success factors around profit and revenues and delivering things on time… they all come because you’ve created the best atmosphere in your team, because you’re doing good leadership, because you’ve got the right culture – and that’s what people remember.”
This is something she stresses to everyone. “Make sure you’re thinking about how you grow your workforce. Make sure you’ve got good managers with good behaviors who are exciting their teams, supporting their teams, sharing with their teams. In cybersecurity, you can’t afford to have a poor team manager with a team of cyber people, because they’ll walk.”
Mentoring and being mentored is a theme that unites both learning and relationships. Every CISO we have spoken to in this series has stressed the value of mentoring received in their own career path, and the need to personally mentor the next generation of security leaders – and Watson and Haigh are no exception.
Haigh sees the need for mentoring as transcending her own employment. “I’m chair of the Women in Cyber group, and one of the things we recently established is a mentoring scheme called RISE; Raise, Inspire, Support and Empower.” This is a multi-corporation scheme, with other leading companies taking part. “Schemes like this help grow and retain the talent you already have, but they also help grow your own network beyond just the boundary of your walls within the company.”
Fundamental to mentoring is giving and receiving advice. Watson believes the best advice she ever received was, ‘stay calm, carry on, and be ready for loneliness’. “You have to be calm, and you have to stay calm. That’s the only way you’re going to be able to figure out the real situation. So, the best advice for me was slow down, listen, assess the whole situation, and be flexible in response.”
But there was one other thing. “Be comfortable with being uncomfortable,” she added. “You’re not necessarily going to be anybody’s friend in this world. Sometimes you’re going to get lonely. At times, it’s going to be very lonely in cybersecurity leadership.”
Haigh has already touched on what she considers good advice: growing and maintaining relationships and not being afraid to ask for help. But she adds, “Be willing to take risks with your career. You’ll never be in the position of believing you know everything for your next role – so just give it a go anyway.”
The need for diversity and balance
One thing all CISOs accept is the need to obtain and retain talented staff within cybersecurity teams. While acknowledging that there are some additional hurdles for recruitment within the defense sector, neither Watson nor Haigh consider that recruitment is particularly more difficult than it is in other sectors. Both concentrate on building diversity even more so than accruing security certifications. University degrees are useful because they demonstrate the ability to learn – but the precise degree subject is less important.
Watson seeks balance in her team when recruiting new staff. “I like to sit down and talk to people,” she says. “It’s a conversation – it’s never that deep question-answer interview. It’s more about listening to people and getting a feel for who they are, how they communicate, how they handle things. I truly believe that by doing that kind of interview, diversity naturally occurs. I’m not just looking at what’s on paper when we have the conversation. It’s great when you already know a person a little bit – and you’ve seen them in action. But equally, when you bring somebody in cold off the street for an interview, it’s all about that communication, that conversation. And I just feel that diversity then occurs naturally. I don’t ever go out of my way to ensure certain things are occurring, but then at the end it’s just naturally happened. We have a good, diverse group of people.” The end product, she believes, is both diversity and balance in her team.
“We’ve often been too narrow in thinking about who we need to be in cyber roles,” says Haigh. “When I look at my team, I’ve got an ex-West End star, I’ve got someone that did a classical music degree, I’ve got someone that did geopolitics, I’ve got someone that did graphics then computer science. I did physics, someone else did engineering, and someone else doesn’t have a degree at all. But they’re all now experts in cyber. They all bring something different and a different way of thinking – and I think we need that creativity in cyber because we’ve got some big problems to solve. In any area of challenge, you need the best team on it, and the best team is always the most diverse team. Whether that’s diversity in cognitive function, or race, or sexual orientation, or men and women, whatever – it’s diversity right across the page.”
Future threats to the defense sector
The bottom line for all CISOs, regardless of their leadership skills, is to defend their organization against cyber-attacks. We asked Haigh what she considers will be the primary threats to the defense sector in future years.
She replied, “The global growth in cyber power. With cyber power comes both stronger defenses and stronger offences. Obviously as a defense company we’d be squarely in the target lines for that kind of activity. A lot of countries are putting in a lot of money to build up their cyber power.”