April 6th, 2018
Chad Boeckmann, Secure Digital Solutions
A security program, as it evolves and matures, will typically experience four types of leader personalities. These personalities may even occur within the same individual if that individual adapts to the maturation of the business and molds the security program simultaneously.
I believe these leaders can be categorized into four types:
- Business Leader
The first type of leader is the auditor. The role of the auditor is purposefully designed to be tactical. The security leader in the auditor role is primarily focused on control measurement and compliance. The resulting security program is typically built and managed based on complying with regulatory requirements. Budget and resource decisions are made with the purpose of meeting these regulatory requirements. This approach isn’t surprising considering the history of Information Security throughout its long tenure. Countermeasures were frequently driven by the need for controls to protect information. As such, many security programs begin with compliance as the initial driver for building and maturing information security, making them tactically effective but strategically immature due the fact that some never move beyond this stage.
The next type of security leader personalities – the one that we most commonly see – is the technologist. The security leader in the technologist role has a keen focus on technical testing, monitoring and response, and primary focus on tools to automate controls. Typically the security leader as a technologist takes pride in building out operational security capabilities and leveraging leading edge products and services. Every modern security program must have a strong security technologist leader. However caution should be placed in emphasizing the majority of time in this single discipline. Implementation of leading automation technology must also be accompanied by well-defined processes and plans. Oftentimes, these processes are defined after tools are selected. Instead, the reverse should be achieved. Processes and plans that meet the business objectives and inform technology decisions to automate key processes must be defined before technology is selected and applied.
The next type of security leader personality is the hero. The hero is generally the type of leader who will focus on response and detection based on the company having recently experienced a negative cyber security event. Oftentimes the hero approaches the role with the mindset “they hired me to build it” which can have both positive and negative effects on the organization. The positive implications this personality displays is pride and ownership for achieving outcomes. The flipside of this trait could be spending countless hours of staff time to build tools that already exist within the marketplace.
The fourth security leader personality is business leader. The business leader personality has only recently benefitted from discussion in the community. A security leader fulfills this type of role when they focus on managing the security program like a business within the business. Being a modern-day security leader is challenging as they need to understand technology and controls while simultaneously having the right team (staff and partnerships) in place to respond adequately in the event of a negative cyber event. The business-minded security leader understands to be successful, they must rely on others within the business and have strategic partnerships with firms outside of their business. Additionally, business-minded security leaders measure performance and do not rely on the less-effective approach of FUD (fear, uncertainty and doubt) to communicate the performance of their security initiatives with executives. Instead, they focus on aligning and enabling the business objectives while raising caution when situations require it.