If you have made your way to this article, you are either interested in cybersecurity as a future career option or looking to grow towards future leadership opportunities as you progress your knowledge, skills, and expertise. This article includes insights from my own observations and experiences through both the corporate and consulting sides of cyber. I’ve had the pleasure of working for some really great and not-so-great leaders. I value my time, insights, and learnings with all of them. I believe that experiences with leaders you want to model your behaviors against and take different approaches from are equally valuable in your leadership development.
Cybersecurity offers various challenges and opportunities for professionals who want to make a difference in protecting their organizations and customers from cyber threats. With that said, motivational fit is one of the biggest indicators I’ve seen of near and long-term success for individuals I’ve worked for, with, and around. Being a protector/defender for an organization is much different than many roles you could choose in a company. The passion for protecting others, company information, or operations isn’t like marketing a good or service (although I’ve found plenty of opportunities for creatives in cyber!).
I’ve known some great leaders that came into cybersecurity “by accident,” but they likely didn’t stay in the field by accident. Many early cyber leaders emerged from very technical infrastructure-focused roles, as early information security programs (or elements before cyber was big enough to warrant a full program) were buried in infrastructure departments. Additionally, security from past decades focused more on networks, servers, and firewalls, and protecting the perimeter of this ecosystem was all that mattered.
Times have definitely changed along with the threat, technology, and business landscape. In today’s virtual, complex, multi-device environment, it is much easier to find exposures in human defenses and cloud technology exposures through social engineering or overconfidence in cloud-hosted IT services being “secure” out of the box (see hundreds of public examples of exposed S3 buckets).
The shift to remote work or “work anywhere” capabilities has shifted what needs to be protected and how to accomplish the proper levels of protection.
With all of these changes, the leadership needs and expectations have also shifted. These needs also require leadership skills, business acumen, influence and ability to “sell” ideas, and strategic thinking to be successful.
Regardless of where you are in your cyber career (aspiring, early/mid-career, or beyond), if you are interested in growing your leadership skills in cybersecurity, we can all stand to improve and further develop our leadership skills. We also need to reduce the stereotypes or perceptions of cyber leaders being overtechnical, niche, and narrow-focused through our actions and examples of effective leadership and business-enabling partnership.
- Identify the type of job you want or are suited for.
Cybersecurity is a broad field that encompasses many different roles and responsibilities. Many roles include a mix of responsibilities across cyber domains (especially at smaller organizations). However, for simplified thinking for cyber career prospects and early career entrants, there are four types of roles:
– Technical: These roles involve hands-on work with security tools and systems, such as penetration testers, security engineers, security analysts, red/blue team members, tool/technology deployment analysts, etc.
– Operational: These roles involve managing and overseeing security operations, such as SOC analysts, threat analysts, vulnerability risk management analysts, security operations managers, etc.
– Governance/Risk: These roles involve setting, managing, and enforcing security policies, processes, standards, and strategies to link with broader enterprise risk functions. Roles include risk analysts, security auditors, consultants, architects, etc.
– Leadership: These are the roles that involve leading and influencing security teams and stakeholders, such as CISOs (Chief Information Security Officers), CSOs (Chief Security Officers), BISOs (Business Information Security Officers), security advisors, etc.
To find out what type of job you want to experience or are well suited for, you should consider your previous experience, skillset, interests, and goals. Many free resources online can help you explore, learn, and further develop your education.
You should also talk to professionals in different cybersecurity roles and learn from their insights and experiences. Ask to shadow them for a day or afternoon. You can find them at events, online communities, podcasts (I host one called Simply Solving Cyber with Cody Rivers), blogs, etc.
I like to spend time with mentees and individuals who are early in their journey, building career maps and helping to think through options and career paths to get them where they want to go.
- Be willing to experiment and learn from your mistakes.
Cybersecurity is an ever-changing landscape and profession that requires constant learning and adaptation. If you settle into your existing knowledge base, you will be destined to be left in the dust or pitch outdated concepts. Instead, you should always be curious and eager to learn new things and improve your skills. You should also be honest and transparent about your strengths and weaknesses and seek feedback and guidance from others. Perhaps if you have had primary technical experience, get a mentor in another business function, or take a class on finance/sales.
One of the best ways to learn and grow in cybersecurity is to experiment and try new things. You can do this by taking on new projects, challenges, or tasks that push you out of your comfort zone. Some of my best roles along my corporate journey were cross-functional roles reporting to other functions (audit and Six Sigma).
You can also participate in competitions, hackathons, or capture-the-flag events that test your skills and knowledge. For example, I had the pleasure to help design a 2-day case challenge for a university that allowed students to showcase technical, business, and influence skills in coming up with solutions.
Of course, experimenting also means making mistakes and failing sometimes. But that’s okay. Mistakes are inevitable and valuable learning opportunities. I once watched an HR department senior leader share a personal story about how he clicked on a phish, and it opened his eyes to his own and others’ susceptibility to this. The following month, the results of his department’s ethical phishing were more than halved. I know that this was driven by his humility and transparency in making a mistake so that others could learn.
The important thing about mistakes is to learn from them and not repeat them. You should also share your lessons learned with others and help them avoid the same pitfalls.
According to a 2021 report by IBM Security that is pretty universally referenced, 95% of cybersecurity breaches are caused by human error. This means there is a lot of room for improvement and learning from mistakes in cybersecurity. Cybersecurity practitioners are not immune from them and can learn from them.
- Follow influential thought leaders and learn from the best.
Another way to grow your leadership career in cybersecurity is to follow influential thought leaders in the space and learn from their insights and expertise. These are the people who have proven track records of success and impact in cybersecurity and who can inspire.
If you work at a large company, consider finding a mentor outside of cybersecurity or technology. These individuals can give you perspectives about learning the business you operate in and diverse ways of seeing potential parallel challenges from their perspective.
- Take care of yourself.
Fatigue, burnout, and mental health issues can affect performance and happiness. Unfortunately, the cybersecurity profession is known to have the propensity to create these issues based upon the 24/7 realities of protecting a company and dealing with significant matters where time is of the essence to a company’s future livelihood.
That’s why taking care of your mental health and looking after yourself physically and emotionally is crucial. You should practice self-care and do things that make you feel good and relaxed. Some of the ways you can do this are:
- Get enough sleep and rest. Sleep is essential for your brain and body to function properly and recover from stress. Aim for at least seven to eight hours of quality sleep every night, and avoid using your phone or computer before bed. Burning the midnight oil to push through a work challenge occasionally, but if it has become the norm, you might be on the cusp of burnout whether you know it yet or not.
- Exercise regularly and eat healthily. Exercise can boost your mood, energy, and immunity and reduce stress and anxiety. Try to do at least 30 minutes of moderate physical activity several days a week and choose activities you enjoy. Also, eat a balanced diet. Leave the days of pulling all-nighters with a can of Mt Dew and some pizza behind you when you can!
- Evaluate opportunities like meditation and mindfulness to help you calm your mind, focus on the present moment, and cope with negative emotions.
- Seek professional help if needed. With the statistics in cybersecurity around mental health, you must get the proper support and care when needed. Getting professional help isn’t as taboo as it was. When you have NFL football players talking about seeking help (insert campaign name), you can be rest assured that no one should be “too tough” to go it alone.
- Document your experiences and build a portfolio of your achievements and skills.
One of the challenges of growing your leadership career in cybersecurity is to showcase your value and impact to potential employers, opportunities within your company, or marketing yourself to clients (if you are on the consulting side). You may have done amazing work in cybersecurity, but if you can’t tell the story or communicate it effectively, you may not get the recognition or opportunities you deserve.
I’ve personally created an “experience map” throughout the years to show what I’ve done and the skills I’ve built throughout all of my roles and jobs. I’ve shared this model with mentees and found it much more valuable than a resume. I like to fit it on a single page and hit the highlights, which can be super helpful in remembering things and helping you visually tell your story.
- For Current/Aspiring/Future Senior Leaders in Cybersecurity
If you desire to be a leader in cybersecurity, think through your motivational fit (what is driving your interest). In my own experiences, I’ve found some of the best and worst leaders in cybersecurity had some specific traits and motivators.
Attributes of the Best Cybersecurity Leaders
- Lifelong learner
- Not afraid to make mistakes, learn from them, and share with others what they can learn from them
- Balance of technical and non-technical business interests and abilities
- Committed coach and mentor of others with an intentional focus of spending time to grow others professionally – with the humility and sense of achievement to perhaps one day work for the person that you have groomed
- Creates safety and a thriving environment (for anyone that wants to and is willing to do the work) to be successful
- Individual that wants to surround themselves with intelligent and diverse individuals that they can learn from
Attributes of the Worst Cybersecurity Leaders
- Begrudgingly checking a box on a career map toward other senior leadership opportunities
- Individual that has to be the smartest one in the room
- Overly technical-focused mindset where buying, turning on, or spending significant time deep in technical support is a primary driving force and focus (vs. broader leadership acumen, business knowledge, influence, building processes, and enabling people)
- Creates an overly competitive and hostile work environment where individuals feel afraid to speak up or be wrong without it coming back to bite them.
Find, work for, learn from, and become the individuals from the first list.
Avoid working for and don’t become the individuals on the second list. There are some really talented and intelligent people that check a lot of boxes here, but they have no place in senior security leadership (along with all the leadership roles leading up to that).
Hopefully, this advice is helpful to you wherever you are on your journey. We can all learn from one another. Remember, if you don’t think you have anything else to learn, you might want to check which “list” you are on and potentially find a different career that will challenge you more.