A CYBERSECURITY PERSPECTIVE FROM DR. IZUAKOR, A CYBERCULTURE HACKER
What does leadership mean to you from a cybersecurity perspective?
When it comes to cybersecurity, it seems as though there is always a fire to fight. Whether it is a new vulnerability impacting the company, the risk of failing an audit, the doomsday realization that the company has been breached, or something as unprecedented as a global pandemic that brings nations around the world to a halt, leading in such a high risk environment is not an easy feat.
There are many leadership skills that are helpful in fast-paced industries dealing with cybersecurity, which is every company nowadays. Generally, it requires passion, dedication, authenticity, patience, and most importantly the ability to inspire. Beyond these fundamentals, there are four traits that stand out to me as the most critical when leading in cybersecurity.
The first is prioritizing the protection and safety of human beings. Almost every security team out there is short-staffed right now. There are more open jobs in the security industry than people to fill them. Those who work in the industry today, are often going above and beyond to secure and protect their companies from growing threats. If you throw an incident or breach into the mix, and it just gets worse. Before focusing on anything, focus on understanding and support the people involved. No matter how important work is, it should never be done at the expense of a person’s health, safety, or family.
The same applies to end users. Despite the current slowdown happening around the world, end users generally move at a fast pace and are overloaded with information. People quickly navigate through constant emails, texts, social media, calls, travel, and more. It can be difficult to slow down and pay attention to detail. This fast pace is what attackers take advantage of as they trick unsuspecting individuals into helping them carrying out attacks. By getting an end user to click on malicious links guised, for example, as pandemic support information or other news, they get one step closer to breaching security. Again, prioritize the human beings in this situation. Seek to understand what their motivations, goals, and priorities are and help them get there in ways that are secure.
The bottom line is that whether you are a leader dealing with end users, cybersecurity professional, or another group — as a leader, the biggest priority should be starting by taking care of the human being in the equation.
Beyond that, the additional traits are being able to anticipate and articulate risks, being prepared for the unknown, and get really good at inspiring people to walk through unchartered territories with you. The only thing constant in cybersecurity is change. There is always a new attack, a new vulnerability, or something new we did not think of before. I think a great leader is good at anticipating what could go wrong, to the extent possible, in order to manage those risks. Sometimes this means putting on the hat of an attacker and seeing things from your offender’s perspective. This is why conducting penetration tests and other offensive security programs is important.
Leaders also have to be prepared for the unknown. This is not just about zero-day attacks in the security industry. There are simply unimaginable threats that arise as technology advances. For example, the world is embracing the power and value of artificial intelligence, autonomous vehicles, e-enabled medical devices, and more. As security leaders, while these advancements are great, we have to think about all of the bad things that can happen if one of those devices is hacked. We have to think about how attackers are leveraging artificial intelligence to attacks us in more sophisticated ways. We have to look beyond the positives and find what can go wrong. It can be taxing on security professionals to constantly look at things from such a pessimistic perspective, but it is in that perspective and the awareness that it brings that we can find optimism is finding a way forward. And, as a leader, you have to inspire your company, team, customers, and key stakeholders to trust you every step of the way. Talk about pressure.
How has your background and experience prepared you to lead?
Ah, where do I begin? Everything I have ever experienced in life prepared me to be a leader. Three elements that were the most important in helping me prepare are the amazing people I have worked with throughout my career, being an eternal student, and starting from the bottom.
Role models, mentors, and the power of diversity
Over the last decade, I have had the honor of working with some of the greatest security professionals in the world. Seeing how experts from different backgrounds approach security, has given me such a broadened view of the industry and the true value that diversity can provide. I have also been blessed with critical mentors and role models both within security and beyond. I cannot begin to name the list of leaders who believed in me early on, took a chance on me, and gave me the opportunity to not only learn from them, but lead others. Mentors and role models matter! In addition, through over seven years of formal security education, I have studied and worked with amazing academic leaders across the industry. I have seen firsthand the need to balance learning in academia, with real world experience to produce well-rounded security professionals. Lastly, as a cybersecurity culture and engagement expert, I spent the majority of my career focusing on educating and inspiring people from different backgrounds and walks of life within organizations to care about security. This helped me immensely.
Being an eternal student and educator
In my spare time, I am a graduate cybersecurity professor. Doing this means I have to stay up to date with the latest trends in the industry, and break them down well enough to explain them to students. Ultimately, this makes me an eternal student which I believe is critical for any security leader. Curious students also ask a million questions, which forces me to listen and help increase understanding no matter how tough the question is. It is not too different in a boardroom or in other settings. As a security leader, you are the expert and stakeholders will ask tough questions you must be able to answer. During a crisis, like an incident or pandemic, this is an important skill to have. Whether it is your board, your team, your customers, or a new reporter — people want answers.
Starting from the bottom
I started in the industry ten years ago as a cybersecurity intern. Early in my career I was in the trenches going through hundreds of thousands of incident alerts, weeding out false positives, and investigating potential data leakage from the real alerts. I went on to do the same in other cybersecurity domains such as vulnerability management, social engineering, auditing, and more. As I began to lead others, this experience gave me a certain appreciation for and ability to empathize with the teams I have led. One of the most demotivating things a team can face is working for someone who is so far removed and disconnected from the reality of what you do, that they cannot effectively lead you
Unfortunately, this is a position many leaders land in. Due to the new and budding nature of the industry, cybersecurity executives leading today usually have transitioned into the industry from another field. They may not have had the opportunity to start on the front line. This makes focusing on people even more important. No matter where you start, it is important to get in the weeds a bit even if just in the beginning and truly understand “a day in the life” of the different security roles — especially the ones you have never done before.
Starting from the frontline of operations and knowing what it is like to struggle through the tasks your team does will put you in a better position to empathize and make good decisions. That is something I could not learn in school. I had to learn it by doing the work.
When disaster strikes, what advice would you give to leaders?
Focus on health and safety, before anything else
I might sound like a broken record at this point, but people first! The safety of people should always be the number one priority. Depending on the circumstance, different approaches may be required. For example, the way you lead through a pandemic, may be slightly different from the way you lead through a global health scare. In the event of a significant technology incident or breach, you want to act quickly to triage and contain the impact, and then work to do damage control and bring things back to normal. This could mean days, weeks, or months of long hours and hard work in an absolutely chaotic environment. This can be very taxing on tech teams, making the “people first” mantra important here. Make sure that people are putting their health first, taking time to rest, caring for their families and more.
The same applies in a pandemic or natural disaster. The security industry does not have the option to hitting pause during these events, otherwise consider it a dark web field day. Not only do attackers continue to try and breach security during these times, their efforts often increase. For example, during the coronavirus pandemic phishing attacks saw a 40% increase. The work will get harder during these times, and it is important to support people through it.
Communicate like your life depends on it — it just might
Generally, during crisis people understand that there is uncertainty. However, that uncertainty can lead to added stress and panic, especially when enough information is not being shared. It is important to be open and honest with people. Share what you know and overcommunicate to ensure the message is heard. Be honest about the things you do not have answers to yet. People can be a lot more understanding when they know that you hear their concerns and are trying to address them, rather than feeling ignored.
Priorities will likely shift, be prepared
It is important to define priorities during crisis, as they will likely need to shift. If there are new directions or new priorities teams should be focusing on, make that very clear and be conscious of the things that may be put on hold as a result. Another highly demotivating thing that can happen during crisis is for leaders to ask people to put “all hands on deck” to solve an issue, and then hold people accountable or punish them for neglecting other areas unrelated to the crisis. While it seems like common sense, unfortunately, I have had it happen to me before, and it was dreadful to navigate. I was able to see, however, that the leader did not have bad intentions. They were just so stressed out and on edge with the crisis and trying to hold everything together, that they did not stop to think about the tradeoffs the team would have to make.
Lead by example
Dealing with crisis might require heavy sacrifices. For example, it could be spending a weekend in the office working to address a ransomware attack and bring systems back up. Or it could be taking a pay cut because the company has been impacted by a global economic downturn. In either case, leaders who walk to walk and sacrifice first before ever asking others to do so, command much more respect and loyalty. It is kind of hard to explain to your team how they are all taking a reduction in pay to save costs, while their leaders are all getting big bonuses at the same time.
Never waste a crisis
There is always a lesson, no matter what. During the pandemic, for a lot of companies to lesson highlighted here is the need to have a good contingency plan in place. Incident response, disaster recovery, business continuity, and more can make all the difference in how well a business fairs through a crisis. Some companies planned for how they could set up remote worksites, and alternative office locations in the event of a natural disaster, but many had not planned for a scenario where workforces must be fully remote. Many businesses had not planned to make their companies or services completely virtual. All of these changes are lessons and opportunities to continually improve and prepare for the way to world will likely continue to operate for quite some time.
How do you keep people motivated and engaged through rough times, especially when it comes to cybersecurity?
Beyond the points mentioned above, just listen to people and do what you can to help them feel heard and understood. During a crisis they are likely concerned and stressed. Though not always the case, often people do not need answers right away, but are seeking to at least be heard.
Make people a part of the solution. Sometimes we do not realize the goldmine of innovative minds and talents we have all around us. As leaders, instead of relying on yourself or someone with a certain job title or role to come up with a solution that is pushed down, get others involved. For example, I have seen many organizations post a challenge and solicit ideas from their larger employee population on the best ways to address it. The best ideas get upvoted and they work towards those. Whether it is a strategy for how you plan to win your customers trust back after a major incident or asking employees to share their tips on how they are dealing with the current pandemic, for example, it makes people feel a little bit better when they are contributing to the way forward. They are no longer sitting back helplessly.
Lastly, pay close attention to how eminent risks are evolving in association with your business and find engaging ways to educate stakeholders on what can be done to mitigate the risk. For example, phishing attacks are up. Share engaging tips and trips to help people identify them.
Leading through crisis can be difficult; however, within the cybersecurity industry it starts to feel like the norm. You cannot go wrong by putting the safety, health, and sanity of human beings first. That is my guiding principle as I weather any storm.