Discover more from Munrobotic Blog and 'Briefly Briefed:' Weekly Newsletter
Leadership in Cybersecurity: A Guide to Your First Role
How to transition from a high performing individual contributor to an inspiring leader.
Leadership is a skill and distinct from other capabilities, it’s something that can be learnt and honed. As is the case in many fields, the best individual contributors often find themselves in leadership positions, and Cyber Security is no different. This isn’t always a bad thing, but often, it creates situations whereby the 'wrong' people are put into leadership roles. This phenomenon is often blamed for the proliferation of bad leaders. However, my observation is that a lack of training, support and good role models is more often at fault. Many people have the potential to be good leaders given time, good role models and the right combination of training and coaching. In this post, I do my best to impart what I’ve learnt as a leader and to distil the advice I offer when mentoring new leaders. If you’ve found yourself: promoted and expected to lead with no support, struggle to find good role models, don’t know where to start the journey or you want to gain another perspective, this post is for you.
This article is intended to be used as a signpost to leadership concepts, and as a primer on some core topics that may be useful in a leadership role. I caveat this heavily with the fact that mine, is but one approach. I have flaws, blind spots and biases that will taint the narrative, so please apply multiple pinches of salt. I favour research-backed approaches over anecdotal ones, but I have added my own experiences too. I hope it helps you on your journey.
You Haven’t Made it, You’re Back to School
When you become a leader for the first time, you’ve almost certainly been promoted, got a nice pay increase and perhaps some good additional benefits. You probably feel like all the hard work you’ve done has paid off and you’ve made it. You should certainly take a moment to breathe it in, and be proud of all your hard work. However, believing you’ve arrived at your destination can be a big mistake and could prevent you from learning the skills you need to succeed. One of the most important things in leadership is your mindset. You need to respect the craft and acknowledge that you’re starting again as if you’ve changed career. Some people will take to leadership very naturally, while others will take more time to find their style. Don’t be disheartened if it doesn’t happen right away. I’ve always found that relationships with your team and getting buy-in takes longer than you’d like, but if you keep doing the right things, it’ll happen.
Develop your Self-awareness
Some of the toughest struggles you will face across your career are your own limitations, and your awareness of them. Everyone has strengths and weaknesses, and it’s important to acknowledge that. It’s also important to be aware that the more senior you become in a business, the less likely you are to hear the truth about your shortcomings. With that in mind, it means it’s extremely important to develop self-awareness as a skill, and to surround yourself with people who’ll give you honest feedback. I maintain that ‘good people’ make good leaders, and I’ve learnt a lot about how to be a better person by learning about leadership.
The earlier in your career you can be honest with yourself about your skills and how you show up for your team, the better. It can be a jarring experience at first, especially if you don’t tend to be reflective or a deep thinker. A good first step can be seeking feedback from those you trust to give an honest appraisal. It’s important in this process that you not reject their perspective (i.e. argue why they’re wrong) or judge what’s being said, even if you violently disagree. This could mean that you’ll be unlikely to hear their honest views in future and frankly misses the point. Once you have collated and reflected on the the feedback, you can start to think about actioning it. Being self-aware is an excellent skill, but even better, is being able to put it into effect. This means utilising your knowledge for self-improvement. This article entitled "How to Move from Self-Awareness to Self-Improvement" on HBR does a great job of explaining some effective techniques of how to do just that. The post discusses the concept of ‘self-management’ and taking responsibility for how you show up and articulate yourself. I found the key point (as with many in this post) is that no innate ability is required, it’s a skill you need to practice and can improve over time. I’d highly recommend following the steps in the post and experimenting based on outcomes. Temet Nosce.
It’s my experience that the tried and tested affirmation ‘praise in public, constructive feedback in private’ remains the golden rule. I’m sure we’ve all had situations in life where we’ve felt ‘small’ when our faults and/or failures are broadcast in front of our peers (don’t be that person!). Although this appears simplistic, I’ve found that it can often be conflated and confused with challenging the thoughts and ideas of others in a group setting. As a leader, it’s important to have a clear understanding of where these concepts start and end. As we’ve seen within the compliance and policy world within Cybersecurity, enablement and empowerment to make the right choices are met more positively than prescription and forbiddance. With this in mind, I would suggest implementing and experimenting with guardrails (which could be defined by the team) around how you interact and how feedback should be given to one another. An extension to this is what’s broadly known as ‘a manual of me’ or a personal user manual. The concept is to define your preferences and natural communication style and quirks. There are a number of sites which help you generate them, including ‘manualof.me’. I caveat this suggestion with not having fully implemented this in a team so far, but I am in the process of gauging the reaction within a subset of the team I lead at the moment. Initial feedback has been around how comfortable we believe people are to produce a manual, as it can be quite personal. I think the trick may be to show a number of examples to give people comfort that they can go as ‘deep’ or as detailed as they wish. Here’s an example of my ‘user manual’, I tried to keep it as reflective and honest as possible and it’s quite detailed. I’ve seen other examples which are much shorter and less personal too. If you have experiences around this area, I’d love a chat :o)
Something that never happens enough in busy organisations is impromptu feedback, especially from outside reporting lines (i.e. for people outside your team or BU). It’s not uncommon for people to get a ‘well done’ or ‘good job’ from their boss or only during annual reviews. I highly recommend scheduling time to reflect on the people you work with and the value that they add to your work. I do this explicitly and intentionally every couple of months. I’d suggest utilising email, as it’s more formal and it gives the opportunity for people to forward on and archive for review time. I would also ensure you cc or bcc the person it’s about, in case their line manager doesn’t remember to send it on. It’s important to be specific and tailor these messages so it doesn’t sound like there’s a production line or it’s insincere. It’s my experience that it’s simple to make someone’s day in this way and it helps build mutual respect for their contributions.
Changing Your Relationship with Knowledge and Expertise
One of the primitives of Cybersecurity, is that it constantly evolves and changes. If you’ve previously been working in a role where you’re a subject matter expert (SME), be ready to change your approach to understanding your topic. When you’re ‘doing the doing’ you will have current, sharp skills and stay up-to-date with the latest trends and information in the space. Once you have a team to lead and senior stakeholders demanding your attention, you’ll have less time to maintain your capability in the same way. You’ll also (hopefully) want to be a SME in the field of leadership! This doesn’t mean that you should totally neglect your understanding of your field or what your team do day-to-day. You will need to find a new way to retain currency and provide value to your organisation and team, without having to work two jobs concurrently. To some extent, you need to cut the cord with your previous life as an individual contributor. You need to make peace with the fact that your role will be to enable and empower your team to be the SMEs and live vicariously through their successes. This can be one of the hardest things to do, especially as you’re likely to have been (at least in part) promoted for your ability in this area. You’ll need to find a new approach or balance to maintain relevance. I’ve seen this done in a couple of ways. You could retain expertise in a niche area that is a sub-set of your previous expertise. This means that staying current is more manageable, however, you can risk micromanagement or dominating the narrative in this area. The temptation may be to jump into your comfort zone to fix tactical issues, rather than remediating single points of failure or addressing strategic challenges. It could be that you’re a ‘player-manager’, and this is mostly fine, but in most cases you need to adjust. An alternative approach is to aim for a more ‘meta’ understanding and focus on augmenting existing knowledge at a higher level of abstraction. Personally, I prefer the latter approach, as I found the temptation to dive into the weeds too much when I first made the leap. You may have more self-control than I did in my 20’s though. It’s important to be aware of these pitfalls and be honest with yourself whether you’re spending your time wisely in the context of your role.
Leadership Style and Common Trappings
Most leaders fall into a few common traps when they start out, some never escape. The two most common, in my experience, are micromanagement and issues related to delegation. The two mistakes go hand-in-hand and many people tend to start working in this way (I certainly did, sorry team!). It may seem functional at first to manage everyone’s time individually and put yourself into a position of approving all meaningful decisions. If you’re really organised and have a strong grasp of the work, it could even seem optimal, at least for you. However, when you scale beyond a few people or gain additional responsibilities, this model can break very quickly. Moreover, you’ll probably find that most people don’t enjoy being managed in this way and it will stifle their development. This can also create a paradox when you do try and empower and delegate to your team more. This can be because you’ve made all the decisions, directed them meticulously and now you expect them to operate in a way they have no experience of. In short, they lack the skills and experience, and they’re likely to fail. It may seem to you that you’re vindicated in your previous approach and that they’re not ready or capable. These kinds of self-fulfilling prophecies are incredibly common and you’re likely to have experienced it, even from long-tenured leaders. Few things kill morale quicker than micromanagement, failing to empower and setting people up to fail. It’s often hard to see that this is what you’re doing, which means soliciting honest opinions and getting feedback from the team is super important. Often, the people who deem themselves most competent, are the least self-aware of their deficiencies (Google ‘the Dunning-Kruger effect’ for details).
Delegation is surprisingly challenging, or at least delegating effectively. It comes with its own traps and approaches to avoid. The first 'bad' delegation style is what I call ‘delegate and forget’ and is probably the most common I’ve experienced. This is when a task is given to someone, normally with a couple of (probably unclear) tasks and that’s it. There’s often a whiff of ‘I’m too busy’ about it and then in <insert-random-amount-of-time> they ask for the outputs, expecting exactly what was in their head to be returned on-demand. We’ve probably all had this situation, and the further up the ladder you go, the more common it gets. When you’re the assignee in this situation, you need to manage-up (which is an art of its own and beyond the scope of this post). Essentially, in this situation you need to take over accountability. You should request a steer on: priority, completion date, format for deliverables, expectations on approach and any other useful guidance. As this example illustrates, when you are the delegator, it’s important to think about the metadata requirements of the deliverable. The second common error, I call ‘delegate the sh*t’. This is where someone delegates all the crap tasks they can’t be bothered to do or feel are beneath them. Obviously, sometimes, there will be cases where you do need to delegate some administrative or annoying tasks to your team. However, I would suggest trying to balance this and taking some of this upon yourself where possible.
As a delegator, you want the task to be done well and you need to train the team to do their part right, ideally first time. Don’t assume they understand your working style and expectations or are ready-made task completion machines. Once expectations are set clearly, you’ll find the outputs will improve dramatically. The end goal is that the team pick up these working practices quickly and do them automagically for themselves in future.
To help with delegation, here are some things to consider that have helped me:
Create a template (perhaps on email) that consistently captures the important metadata relating to the task.
If the tasks were given verbally, follow-up with an email seeking acknowledgement and confirmation of understanding (also a good prompt for questions).
Consider using frameworks, such as Agile, supported by tracking tools for bigger projects, engagements or tasks.
Schedule check-ins (or ask the delegate to) to discuss progress, this will help prompt more even progress on the task and avoid a nasty surprise at the end.
Where possible, delegate responsibility to make decisions and be creative. This is a good chance to empower.
For more closed tasks, start the task yourself, create a framework or format for how you would like the task completing e.g. format an XLSX/PPTX the way you want if you know how you want it, don’t leave people to guess.
Explain the task, its importance and relevance to other activities. GIGO applies.
It is important to start stretching your leadership legs as soon as possible and not be afraid to experiment, seek feedback (from the team) and fail. Think about your experiences of being led and managed, what did the best people do? How could you use those things and integrate them into your personal leadership style. I like to think of developing a leadership style as The Sword of Gryffindor (sorry for the Potter reference), in the sense that it would only take in that which makes it stronger. That said, don’t feel like you need to absorb, implement and remember verbatim every leadership training, book or blog post. Use these things as influences that shape your sub-conscious, and don’t be afraid to implement tactical and strategic changes and see what works. One source that is fantastic for this, is HBR (Harvard Business Review). They focus on the ‘so what?’, everything is backed by research and the focus is almost always on takeaways for implementation.
Respect People’s Time As You Do Your Own
Valuing people’s time demonstrates you respect their contributions and their ability to work autonomously. Many leaders act in a way that could imply that they feel their time is more important than that of their team members’. This could be because they feel they’re busier than everyone else (they could be) or because they feel their time is more important as they’re more senior. Whether this is what they genuinely believe or not, the perception they give through their actions can lead to the same poor outcome. This can result in the team not feeling valued, which impacts motivation and ultimately productivity. My worldview is that I see leaders as ‘just another form of life’ (to paraphrase the late/great Sir Ken Robinson) and another function within an organisation. The tasks I do are as important to me as other people’s are to them. The upshot of this, is that as leaders, we should ensure we value the time of others, as it’s core to their feeling of importance and the value they add. This should be factored into tasks we delegate and the expectations we place on them. We need to be mindful of our positions and the expectations we set as part of that authority, as some people may feel unempowered to speak out. This also illustrates the importance of creating psychological safety (discussed late in this post) within teams to enable open bi-directional communication.
We can respect other people’s time by:
Not expecting out-of-hours contributions, whether we feel its someone’s passion or not.
Considering carefully when we ask colleagues (especially subordinates) to re-factor things to increase our convenience.
When outcomes aren’t quite right, recognising (stating) that it may be us (as the leader) who didn’t communicate well.
Considering the impact of what we say in the context of our seniority.
Use What You’ve Got
When starting out as a leader, you should always try and play to your strengths. As research has shown, good people make good leaders. All the attributes people like about you as a person, will add to your strength as a leader. If you’re not sure what your strengths are, ask your friends or trusted colleagues. It may feel a little weird at first, but self-awareness cannot be understated. Knowing yourself is important and understanding where your strengths, weaknesses and blind spots are, is a continual journey. Once you understand what your strengths are, look for ways to use them in your role. As an example, for me, I’m a real general knowledge nerd. I like to think that I know a little, about a lot of things. I also really enjoy speaking to passionate people, whatever it is that interests them. To leverage this, I always look for opportunities to find out people’s passions on the assumption I’ll hopefully know something about it. This really helps with building rapport (who doesn’t like talking about something they love to someone who’s interested to learn more about it?!) and has made it easier for me to integrate into new teams. Find your superpower and figure out how to use it.
Know Your Theory
One of the best pieces of advice I can give to anyone who wants to be a better leader, is to read broadly about it. It’s how you scale mentors and there is a huge body of research and literature about leadership theory and practice. The two notes of caution I would give are: that you shouldn’t take any one source as gospel, and, that you should consider the sources carefully. Each book, blog or podcast you consume should add new ideas and approaches for you to try as a leader. I like to take a scientific approach to leadership and would advise others do the same. Don’t be taken in by Svengalis who may have had anecdotal, personal success. I have included (below) some of the most important (IMHO) contemporary ideas and some sources that may be useful for you to consider. Obviously, this is not exhaustive, but a reasonable starting point on the journey.
Psychological Safety and Project Aristotle
Psychological safety has been one of the biggest buzz-areas in leadership for some time, but in my view it is worth the hype. First coined by Amy Edmondson in her seminal paper “Psychological Safety and Learning Behaviour in Work Teams”, the work was famously validated by the ‘Project Aristotle’ study by Google. The concept is that team members should feel safe to take risks and articulate ideas, without fearing judgement. The Google study looked at 180 teams and what made them effective (or not). One of the most interesting outcomes, was the importance of Psychological Safety as an enabler for success. The key findings and definitions are summarised below (as an excerpt from the study). This gives a clear view on areas you may want to consider focusing on in terms of your leadership learnings.
“The researchers found that what really mattered was less about who is on the team, and more about how the team worked together. In order of importance:
Psychological safety: Psychological safety refers to an individual’s perception of the consequences of taking an interpersonal risk or a belief that a team is safe for risk taking in the face of being seen as ignorant, incompetent, negative, or disruptive. In a team with high psychological safety, teammates feel safe to take risks around their team members. They feel confident that no one on the team will embarrass or punish anyone else for admitting a mistake, asking a question, or offering a new idea.
Structure and clarity: An individual’s understanding of job expectations, the process for fulfilling these expectations, and the consequences of one’s performance are important for team effectiveness. Goals can be set at the individual or group level, and must be specific, challenging, and attainable. Google often uses Objectives and Key Results (OKRs) to help set and communicate short and long term goals.
Meaning: Finding a sense of purpose in either the work itself or the output is important for team effectiveness. The meaning of work is personal and can vary: financial security, supporting family, helping the team succeed, or self-expression for each individual, for example.
Impact: The results of one’s work, the subjective judgement that your work is making a difference, is important for teams. Seeing that one’s work is contributing to the organization’s goals can help reveal impact.”
If you want a more introductory primer on the concept of Psychological Safety, Amy Edmondson’s TED talk is a great place to start, as well as the New York Times piece on Project Aristotle. These will explain the concepts much better than I could.
The concept of servant leadership is quite simple, in that, the leader’s role is to serve the team (rather than the other way around). Studies have shown that the approach is broadly successful, with the basis rooted in engendering bidirectional trust (as demonstrated in this journal). Anecdotally, I’ve found that the implementation of servant leadership is very effective, especially when working with teams who function in technical domains (this is also one of the key principles of Agile, too). Obviously, this isn’t the only style of leadership and I would advise you to find your own way, applying good ideas from a broad range of paradigms. Being a servant leader can be hard and quite taxing initially. It requires a high degree of self-awareness and the ability to park your ego. It’s not something everyone will feel is natural to begin with, but it’s worth the time and can build great teams and working relationships.
One of the most important things in leadership is communication, especially for servant leaders. I always find it unusual that leaders don’t talk to their teams about their leadership style or what they’re shooting for. I like to try and engage with teams I lead, and talk about the concepts and what informs my decision-making. Moreover, it’s really important to understand how your team members like to work and to talk about concepts like servant leadership gives you a natural segway. I like to include servant leadership ‘sound bytes’ in communications (such as ‘I work for you, not the other way around’) and get feedback on what is or isn’t working that I’m doing (requires high levels of Psychological Safety!).
I wouldn’t recommend any particular book on the topic, but I enjoy the ideas of Simon Sinek and Jim Collins, their musings are a good place to start. Servant leadership isn’t something you can slip in and out of, it requires good research and experimentation.
If you’re not normally an organised person, now is the time to adapt! Moving to a leadership position will very likely increase your task concurrency i.e. you’ll have more things to do at once. If you’re not normally very organised, it’s time to start thinking about how you manage your time and prioritise your tasks. This is an area where there’s lots of scope for experimentation. Like many other technical leaders, I love the intersection between operational efficiency and technology. The area of productivity hacks is fascinating and it’s worth exploring how other people operate and manage their time and their team.
At a minimum, I would suggest using a to-do list. I really like ‘todoist’, but ‘Tasks’ in Microsoft Teams or a task with a checklist in Slack will also do the job. If you’re feeling more advanced, you could consider using a Kanban board (which if you work in Development/PM, you’ll be very familiar with - Trello has a freemium version that's good). You may also be responsible for managing the schedules, or at least workload of your teams. It’s likely in a larger organisation, you will already have software to support this and timesheets to capture hours worked. If you don’t, I would suggest you implement a basic form of tracking tasks and ensuring your team know what’s expected. Clear roles and responsibilities are really important when running a team, the use of a RACI, clear Job Descriptions and OKRs are great tools to ensure everyone is on the same page. Most organisations will have specific implementations and support for using these types of tools, so it’s best to check first with your +1 leader or HR before creating something new. If you don’t, I would encourage you to create them and discuss them in depth with your team. You’ll find a lot of issues have their root cause in lack of organisational clarity, so nailing this early will help future-you IMMENSELY. Pinkie promise.
It’s important to have (and clearly articulate) vision and a plan as a leader. It instils confidence for your team, peers and leadership above you. For most people moving from an individual contributor role to a leadership position, your focus will shift from purely tactical to increasingly strategic. This shift means that your mindset will need to change from narrow and deep, to broad and shallow. Your career will likely track this arc as you become more senior, assuming a leadership track. To this end, it’s a good idea when you start in a new role to ensure you understand (and define) your (and the team’s) objectives and mission. This will typically include discussions with your immediate +1 leader. My advice is to use OKRs to define WHAT your objectives are, and a mission statement to encapsulate WHY you’re doing what you do. Next you need to create a strategy for HOW you’re going to achieve your objectives. When you first join a team, your tactical plan is also going to be important. How will you get people on-board? What are your priorities? Etc. Although typically a sales tool, a 30,60,90 plan can be a great starting point. This defines your actions for the next 30/60/90 days and gives a snapshot of your tactical activities. I like to use this when I’m starting at a new organisation or with a team I haven’t worked with before, as it provisions for discovery and short-term wins. It’s important you balance tactical and strategic objectives well, as if you don’t show progress in both areas, you’ll be at risk of being judged as ineffectual (whether you are or not).
I hope this helps people gain some ideas of where to start as a leader. Going into leadership was the best career move I made and the most rewarding. I love discussing this topic area (I’m not just cyber cyber cyber) so please do drop me a DM if you have ideas to share or post a comment if you agree or disagree with my thoughts. In summary though, if you take away anything from this post, please remember:
Good people make good leaders. Try to make work fun and interesting.
Don’t be scared to try things out and experiment.
Talk to the teams you lead about what you’re trying to do and how you’re trying to do it.
Don’t be stingy with positive feedback!
Solicit opinion and don’t be scared of criticism, be curious about yourself.
Build your approach on experience and research, read broadly.
Work for your team and enjoy their successes.
Bonus round (and my pet hate): don't use phrases like 'my team' or 'I'll get <insert-name> to do that'. It doesn't impress anyone.