SecurityWeek discussed the role of security leadership with William Dougherty (Omada Healthcare), Barbee Mooneyhan (Woebot Health), and Mark Wochos (VEDA Data Systems). All three are CISOs in one of the world’s most attacked sectors: healthcare.
The route into cybersecurity
All three of our CISOs entered cybersecurity via IT. Dougherty had led the creation of an MSP where he became VP operations. He was recruited by one of the MSP’s customers and became corporate computing services manager.
“We started having problems with people trying to break our systems. We didn’t really have a security function; so, I went to my boss and said, hey, I think we need a security department and I want to run it.”
This is a recurring theme in this series of CISO conversations – career progression is often self-initiated: see an interesting gap, step up, and fill it.
Barbee Mooneyhan had been in IT for almost 20 years, but never quite felt it was where she should be. She would often help members of the security team, and eventually asked if she could transfer. She did.
“I just studied and studied and studied, and it took me over a year to get into security properly.” She moved to another company as a security team member, becoming the team manager about a year later. But now she had found where she should be. “I absolutely fell in love with security the moment I landed in it.”
Mark Wochos was a systems and network engineer. This was in the days before cybersecurity evolved into a separate field of expertise. “So, it was automatically part of my duties. But it piqued my interest and I spent more of my time focusing on that area.” People focusing on cybersecurity so early tended to automatically become managers.
So, see a gap and fill it; especially if it is one that attracts you.
Becoming a leader
A CISO differs in one major aspect from a manager. a CISO must also be a leader. Wochos draws an interesting distinction here: “Anyone can be a leader. You don’t necessarily need to be a manager to be a leader.” Most teams have a goto person that other members seek out for advice on tricky problems. That person is a leader, but he or she is probably not a manager; and may prefer to remain an engineer rather than become a manager.
Being a manager requires a different skillset to being a leader. There are good managers who are not good leaders, and there are good leaders who are not good managers. A successful CISO must have both skills.
In the early days of cybersecurity there was no existing organizational structure. A good and ambitious engineer could jump straight into a cybersecurity management position. That almost certainly cannot happen today. The route now is from team member to team leader to manager and – if you tick all the boxes – eventually to CISO. This process naturally teaches management skills – but the CISO also requires exceptional leadership skills.
You can learn management skills from books. Most CISOs believe you can also learn leadership skills, but this comes from desire, the advice of mentors, observation of other leaders, and a smidgen of natural charisma. Mostly nurture, but a little bit of nature.
Mooneyhan provides an example from her own career. Her task was to develop a threat hunting and incident response program. What she found was a non-team – just individuals doing their own thing and not generating any coordinated information. Her response was to fly everybody to a private summit – including her boss – in Nashville.
“We sat in a room for three days, and we planned out everything that was going to happen. I think I just took the reins. The next year I did the same thing.” That showed the desire and charisma to lead, and demonstrated leadership.
“I think most leaders make themselves, but no leader makes themselves alone,” says Dougherty. Leadership is a skill that must be learned, like any other skill. And the best way to learn that skill is through observation, and apprenticeship. You must have mentors and guides and leaders above you that are willing to help you learn. I don’t believe you come fresh out of school ready to be a leader. Leaders are made, not born.”
The implication here is if you are a manager wishing to become a CISO, you must have the desire and willingness to learn leadership. But it can be learned.
Wochos agrees with this. “It is something you can absolutely learn. Obviously, there are certain people who have natural charisma or natural leadership skills that they are born with, but a good leader must spend time focusing on those skills. Anyone who has the desire to move into a leadership role can do so if they’re willing to put the time in.”
Building and keeping a strong security team
Key to being a successful CISO is the ability to recruit and keep – gain and retain – a strong, well-balanced security team. Different CISOs develop their own methods for recruitment. Wochos, for example, prefers to recruit from within his company. “My preference is to find someone internal who has a desire to move into security, because that seems to be more effective.” That doesn’t mean he doesn’t recruit externally for specific roles, but he adds, “I think having an existing relationship and having people who already understand the company jumpstarts the whole process.”
Mooneyhan notes a common problem for smaller organizations: “I don’t have the luxury of being able to recruit and train entry-level staff – I need people who can be effective from day one without requiring a lot of handholding.” This involves going through hundreds of resumes looking for people who might fit – and this much is fairly standard.
What differs is the first interview. She talks about herself and her way of working, and about the company. She asks the candidate about passions and aspirations. By the end of the conversation, she knows whether the candidate wants to work for her, and whether they can work together. This process weeds out those who just wouldn’t fit into her culture, and it is only at the second technical interview does she investigate whether the candidate is qualified for the position.
All three CISOs take the same approach to keeping a strong team. It involves taking a personal interest in each individual. Compensation is important, but not what makes people want to stay. Team members stay on the team if they are interested, engaged, have a sense of purpose and fulfillment, and a clear career path.
“Every career is ad hoc,” comments Wochos. “In the short term, my approach is to have that conversation with everyone to understand what they’re doing, where they want to go – and then help create a plan to get there. In some cases, particularly with people who are newer to the industry or new to the role, that person might not know where they want to go. So, you use your intuition, some of your own expertise and wisdom, to try to push them in a direction you think they’ll be good – but that only works if they have a desire to want to walk with you.”
The secret to retaining a strong security team is to make each member want to walk with you, but to train and mentor them so they are eventually capable of walking ahead on their own.
The importance of diversity
Diversity is an important ingredient in the team mix. “If I don’t have diversity of thought, I don’t have a fully functioning team,” says Mooneyhan.
“I really focus on diversity of thought,” adds Dougherty. “I want to hire really smart people that are likely going to disagree with me, because that allows us to bring the best arguments forward.”
For example, Dougherty is pleased he has team members that come from an arts rather than purely technical background. “I value that because when you have a diverse team, you have a number of different opinions, and it allows you to come to a more holistic answer.”
Diversity goes way beyond gender diversity – which is difficult to achieve because of the smaller number of female applicants. It includes race, socio-economic background, culture and LBGT. Full diversity is difficult for smaller organizations because the security team isn’t large enough to include everyone – and CISOs must choose the best person regardless of background.
Nevertheless, each of the CISOs would welcome neurodiversity into the mix. “We embrace that,” says Wochos. “In fact, I do have one or two neurodiverse people on my team.”
Dougherty adds, “I’ve had the pleasure of working with a few people that would fit in that category and they’ve been fantastic people. Some of the neurodiverse people I’ve worked with have been incredibly good at data and math and statistics. So, if you put them in an analyst role, where they’re doing that sort of thing, they thrive.”
Maintaining mental health in the team
The potential for burnout is increasingly recognized. Dougherty explains part of the cause within the security team. “There’s a portion of the job that is… I don’t want to say boring, but it’s rote. Every day you must look at your SIEM and you must look at your log files. So, you review 1000 entries in a system looking for problems. And you clear them all and tomorrow morning, you wake up and you’ve got another 1000 entries, and a year from now you still have another 1000 entries to look at. That creates a tedium. But, in addition to that, you also have these moments of incredibly high stress. You find something, and you must figure out whether it’s a false positive or is the entire house on fire? And as soon as you’re done with that crisis, you have to go back to the tedium – and the cycle never ends; every day, you’re going to get another 1000 log entries.”
Burnout is something that can happen to anyone in any profession, but including (and perhaps especially) the CISO. For the CISO, the buck stops here. There is generally less external company support available, and the CISO must be self-disciplined to prevent personal burnout.
Wochos describes how he and many other companies manage burnout for the team. “We focus on our people’s mental health,” he explained. “We provide the opportunity for mental health days when people need to step away. We provide mental health benefits. If I see one of my engineers who has not taken time off for a while, I’ll force them to take a day off. ‘Hey, by the way, you’re not coming in on Friday. Goodbye, we’ll see you next week. Take a day off.’ We think that’s important to allow people to take time off to refresh and come back as their best self.”
He believes the problem can be exacerbated by remote working, with staff working excessive hours. “We provide guidance and suggestions and try to enforce them where possible. “Separate your workspace from your living space. Find hours when you will not work, and step away from work in these periods.”
The key to preventing burnout lies in the old adage: finding and, if necessary, enforcing a good work/life balance.
We ask all the CISOs in this series to tell us the best advice they ever received, and what advice they would now give. The former tells us how to become a good leader, while the latter tells us what has been learned after succeeding.
Mooneyhan says the best advice she received comes from the Robert Frost quote: “The best way out is always through.” Frost has another similar quote: “Hope is not found in a way out but a way through.” For Mooneyhan, this translates as not trying to avoid difficulties, but confronting them and solving them.
Dougherty cites two pieces of advice: never stop learning; and surround yourself with people you believe have the potential to be better than you while giving them the opportunity to be so.
For the former, he says that technical learning is good, but you shouldn’t limit yourself. “Continuously expand your knowledge. Be a sponge. You won’t always know when you will be able to use that knowledge, but eventually you will. To be an effective CISO, you must be continuously learning.”
For the latter, he comments, “Their success will reflect back on you as a leader. The ultimate value of success is 20 years down the road when they’re all leaders too.”
For advice given, Mooneyhan points out the necessity to learn additional skill sets as you move up the career ladder. Management skills are different from engineers’ skills. And when you get to C-suite levels, you need to add leadership skills and business skills.
Dougherty advises on the need to build strong trusting relationships. “It may be counterintuitive in the security world because our inclination is to trust no one – but the paradox is that to be effective, you have to surround yourself with people that you trust and that trust you.”
Wochos simply says, “Be true to yourself. Don’t let a company mold you into someone you don’t want to be. Just be true to yourself. Be who you are, don’t lose yourself while you’re evolving into a good leader.”
A good CISO will lead a strong, diverse, and healthy team for one primary purpose: to prevent cyber threats impacting the company’s bottom line. Understanding those threats is imperative – especially in healthcare, one of the most attacked sectors.
“I’ve been concentrating on buttoning down our public threat landscape in the expectation of more national threat actors,” commented Mooneyhan.
“The media focus is on malware,” says Wochos, “and understandably so because it is interesting and challenging. But the greatest threat is, and will continue to be, social engineering. Almost every attack goes through social engineering attack vectors. Getting your workforce to be alert with the proper level of paranoia and education, and the understanding to ask questions and not just do things… this is the greatest risk and will probably remain so for the foreseeable future.”
Dougherty’s concern is on a similar theme. “I have long held that my number one threat is the insider. I’ll say this in an impolite way, and then I’ll try to make it more polite. I’m always fighting against malicious and stupid, and stupid is always stronger than malicious.”
‘Malicious’ comprises the external actors that try to cause harm and steal data. ‘Stupid’ comprises the internal workers who are simply trying to do their job as efficiently as possible, but with a system that doesn’t preclude careless errors.
“The biggest threat comes from the people inside who already have privileged access and are trying to do the right thing but just make a dumb mistake. They’re not trying to not circumvent your controls; they’re trying to get their job done. The hardest thing to do is to design systems that allow people to get their work done, while at the same time preventing them from making mistakes. Human error with the best intentions from people who were just trying to do the right thing and get their job done within a system that promotes productivity but doesn’t catch those errors – that’s the biggest threat.”