Sunday, July 15, 2018

The Importance of Leadership in InfoSec

       Over the years I have had the privilege of being a member of many organizations that put a great emphasis on leadership. From those experiences, both educational and military, I have grown to appreciate several characteristics of a leader, whom I prefer to define as someone who uses influence to bring people together and contribute to a common goal. I have seen that leaders must be high-integrity, honest, relational, respectful, skilled communicators, and very competent.

Foremost among leadership traits, a leader is high-integrity. Leaders must be honest and do what is right without regard for personal expense, time or effort. They are honest. They must do so in order to garner and preserve the respect and credibility required to lead effectively. They must be accountable to high standards in this area. Flaws in this area quickly lead to a loss of influence for leaders.

Leaders are relational and place a high degree of value on people. They operate from a transformational perspective rather than a transactional one. They communicate and relate to others with respect and don’t lower their own standards for communication when others stoop low. They put others’ needs ahead of their own and treat them with dignity and kindness.

Finally, leaders are highly competent. They know how far their own abilities go and where to draw on the greater abilities of others. No one looks up to or is willing to follow someone who doesn’t know what he or she is doing or talking about. Conversely, someone who has a command of a body of technical knowledge quickly gains credibility as an expert. People come to them for advice, thought leadership, and critical task handling.

In working toward my goal of becoming a better leader through training, I have realized both some strengths and the need for further development of several competencies. I desire to give back to the community and industry at the highest quality level possible and believe an important part of having recognition and a platform to communicate from is using those as opportunities for positive effect. The SANS MS-ISE program will greatly enable and support these efforts, taking me beyond the scope of my current graduate certificate studies in penetration testing and ethical hacking.

I feel I have strong suits in being self-directed, developing teams, building relationships, coaching, and training. I take initiative in my own work efforts, professional development, and personal pursuits by looking for a need and then meeting that need. I also enjoy bringing others together to work on projects in a healthy, relational manner. I enjoy sharing ideas and experiences for the benefit of others. Finally, I seek to help others make sometimes difficult career decisions, identify areas to invest study time, and pass on knowledge through presentations.

       I am investing in developing my verbal communication skills further, including presenting and instructing. I have dabbled in this arena by seizing the opportunity to speak at SANS lightning talks, security bsides conferences, as well as participating in Toastmasters International. I am taking this to the next level and look forward to utilizing the SANS masters program to accomplish this through the coursework and practicums.

I am also developing my skills in setting and communicating vision effectively. I am being called upon more and more frequently to write or present on security topics in a way that decision-makers can easily digest, buy into, and implement. There is a clear gap between the language of these decision makers and that of the industry as a whole. I, as an information security leader, must be prepared to bridge this gap in addition to offering the expected engineering or management skills.

I am investing in greater project planning skills. This is a very important aspect of gaining the confidence of stakeholders toward project pick-off. No smart business owner is going to buy into a poorly planned project. They know all too well the consequences of doing so. I am working toward a greater grasp of project management fundamentals that will enable me to more accurately and efficiently estimate, plan, present, and manage projects in my day-to-day work.

I am also investing in developing skills in leading change. I have seen first-hand some big organizational changes go horribly wrong. I am excited about exploring this area and adding it to my toolkit for future use. By being as well prepared for this need as possible I hope to help bring about organizational change through individual interactions.

Leadership, rather than engineering or management skills, are needed more than ever because of the growing communication gap in the information security industry. As I mentioned earlier, this language gap creates a disconnect between the business and technical efforts. This is particularly important because the information security knowledge domain, like technology as a whole, is broadening and deepening rapidly. So, it’s likely that this communication gap is widening as well. CIOs and CISOs have never been more challenged to impress upon business owners the implications of technological decisions. This communication dynamic will surely shape the future of our world for decades as a result. Therefore, the onus is on us to pursue excellence in this area and to exercise it appropriately.

In summary, I am continuing graduate studies at the SANS Technology Institute as a student in the Masters of Science in Information Security Engineering program in order to further develop as a leader. Leaders are high-integrity, respectful and competent individuals who use their influence to better the world around them. I will use this program to build on my current strengths, strengthen weak areas, as well as discover other areas I was not yet aware of - for the benefit of myself, the community and industry.