Are You As An Infosec Leader Ready To Sit At the Executive Adult Table?

So, information security finally has a seat at the same table as the other executives. That seat is at the metaphorical adult’s table and the invitation has been opened at many organizations now. We, as infosec practitioners, asked for that seat and, in many ways the potential reputational and regulatory consequences operating in today’s threat landscape demanded that a seat opened. But are we ready?

That seat at the adult’s table represents recognition that we are ready to join a set of other executives that. like us, also have really hard problems to solve. Perhaps not security problems, but still relatively undefined and hairy problems that, without being successfully addressed or managed, likely could result in serious operational, financial, or regulatory impacts. In other words, every part of the organization has to work together in order for the company to succeed.

Like any table for adults, those invited may need to adhere to a certain set of table manners and expectations that vary by organization. The following should be obvious to most:

• You’ll be expected to know and describe your infosec program in strategic terms (where it’s come from, where it is today, and what it’s headed)
• You’ll be expected to understand and communicate the operational level details of your infosec program (goals, roadmap, current state, resources, and gaps)

So far, so good — right? We may have lost some percentage of aspirants for the adult table but I think that many cyber practitioners have read the above points and believe that they are ready.

Let’s continue…

• You’ll be expected to understand, plan for, and negotiate likely impacts of all of the plans and programs led by other table members and, conversely, understand, plan for, and negotiate the impact of your plans and programs on all of theirs.
• You’ll be expected to define success and achieve the results for which you have set expectations with other table members especially when there was some resourcing, timing, or other cost to their own plans and programs in order to set the conditions that enabled your ability to begin execution.
• You’ll be expected to successfully negotiate and garner the necessary headcount and other budget resources for the infosec program despite the universe of organizational-wide requests often far exceeding the pool of available resources for a given year.
• You’ll be expected to ensure that the resources you garner are applied in a way that not only aligns with the objectives of the business, your infosec strategy, and your risks, but also are coordinated so that they are in place when other infosec leaders on your team need them, the larger organization begins shifting to a new business strategy, or recent changes to the threat landscape require them.
• You’ll be expected to recruit and retain the best candidates with the most growth potential for infosec roles on your team regardless of whether they mirror your own physical traits, personal traits, or your own personal career trajectory.

Hmm. A bit more complicated, right?

In my view, we don’t have much thought leadership around developing Director level cyber leaders that most often focused on alignment with security frameworks into infosec leaders that we need to be ready to assume that seat at the adult’s table. I’d be surprised if many of the infosec readers of this post had actually previously considered any subset of the second set of points above. Perhaps they have. If so, we are better than I thought.

Part of the problem stems from having confused so many important things at the industry level that prevent our senior infosec leaders from growing into successful at the adult;s table before those skills are required.

• We’ve confused security frameworks with business strategy
• We’ve confused security technical prowess with security leadership
• We’ve never defined as an industry what success looks like as an infosec organization
• We’ve confused “security as the only important organism” with “security as a living interdependent part of a larger business eco-system”
• We’ve forgotten that we as leaders need to set the conditions to retain our best talent on order to be successful over time

As a result, we tend to simply dust off a new resume when we don’t find success and move quickly to a new role carrying the same issues and poor leadership traits with us. That approach has become preferable to looking inward and understanding what skills and leadership attributes, and methodologies need to be improved. Social media only encourages this approach.

While there are indeed some number of adults tables that are truly toxic, most of the time is ours to own. We haven’t learned the table manners or expectations thrust upon us. We need to learn, internalize and take ownership of the skillsets needed to be successful at the adults table. As pointed out above, the skills that made a cyber practitioner successful from individual contributor to director level aren’t the same skills that will make them successful against the standards set forth at the new table at which they’ll sit.

Once learned, these skills can be successfully applied anywhere.

Are we growing a pipeline of cyber leaders that are learning to think, communicate, and act like the others solving hard problems at the table?

If not, why not?

Asking for a friend….

For more insights into how cyber leaders can best enable the business and build rock solid cyber programs, please follow me on Twitter at @opinionatedsec1

You can also find more of my previous content at the “CISO & Cyber Leaders” publication on Medium: https://medium.com/ciso-cyber-leaders