Being an Aware Information Security Leader

I’m an avid hiker and have been a youth leader in several organizations over the past 20 years or so. In outdoor leadership, a core component of leadership is awareness: awareness of environment, group, and self (see “AMC Guide to Outdoor Leadership” by Alex Kosseff). As security leaders, maintaining awareness is also a critical component in protecting our company and our clients.

As an outdoor leader, I try to be very aware of the environment: everything about my surroundings that might impact the group I’m leading and me. This includes the obvious such as weather, route, etc., but also includes being very prepared. Prior to a trip, I will review maps and develop plans ranging from where to take breaks (in conjunction with finding water) to where the nearest emergency exit route is on a day-by-day basis. In security, environmental awareness includes something I refer to as the “threatscape”.

“As security leaders, it’s important to be very aware of ourselves. – Keeping a healthy perspective and keeping work demands in balance is critical to catching issues before they become incidents.”

Environmental Awareness
Being environmentally aware is split between 1) understanding the assets and resources that we as security leaders are responsible for protecting, and 2) being aware of attackers, their motives, and their techniques. This underscores the importance of IT and securities working closely together, so the security team understands what resources are managed by the company and what assets are included in the systems.

Going deeper, through things like vulnerability scans, the security team can become aware of the weaknesses in the protected systems. Combining this with threat awareness helps the team understand and prioritize security response. And just like a successful trip having a detailed map and trip plan, a successful company needs a detailed security roadmap and implementation plan. Refer to the plan often, to ensure it’s being implemented as designed. As a security leader, being dialed into the environments you protect and the plans you have made is critical to your success.

Group Awareness
Leaders in the outdoors need to be very aware of the group they’re leading. I look at the group from several perspectives, including group dynamics, individual skills, and temperament. Leading highly functional groups is generally pretty easy – if I’m taking a group of 16-18 year olds on a 50-mile hike, and the group has hiked together extensively for several years, I know the group gets along well and has the hard skills necessary to not just complete the trek but also enjoy it. But at the same time, I’m going to be watching for signs, such as the beginnings of group frustrations, weird vibes between group members, etc.

In my role as a security leader, I perform similar assessments on the groups I work with. My first assessment will be senior management – those who control budget and resources. Are they committed to security? Are they supportive of valid budget requests? Or are they looking for security checkboxes and compliance, and not really concerned about security in general? That dynamic has the highest impact on my strategy. Working with IT and development, I assess whether teams have the skills and bandwidth necessary to perform the tasks required to achieve and maintain acceptable levels of security. Where I see infighting, I will seek resolution with leaders. Where I see a lack of skills (easily demonstrated through vulnerability and code scanning), I will work with leadership to provide appropriate training or technology controls. It’s easy at times to get caught up in the thick of things, but as a leader it is important to pull our heads up and ask ourselves questions that will help us get back in tune with the groups we work with.

Self-Awareness
Finally, self-awareness is a key ingredient to successful leadership. On a long trek, I need to be sure I’m fit and taking care of myself. Am I properly hydrated? Do I have any hot spots developing on my feet? Have I eaten enough? If I’m not aware of my own situation, I’m likely to overreact or, worse yet, not notice a threat arising in the environment or among my group. As security leaders, it’s important to be very aware of ourselves. Are we so caught up in “special projects” from senior leadership that we are losing insight into the environment or the group? Are we distracted by things in our personal lives? Have we been working long hours without a break, and are we getting burned out? Keeping a healthy perspective and keeping work demands in balance is critical to catching issues before they become incidents.

There are great books on business leadership, but I find I really enjoy looking at leadership from other perspectives. With a long history in outdoor leadership, I find I can really relate to the concepts and principles I’ve applied through the years, and that I can leverage those same principles in my work environment. By working on awareness, I’m better able to detect risks and threats, and ensure the company has the highest possible level of preparedness.

Need help with becoming a more aware Security Leader? Caliber Security Partners is available for staffing, training, assessments, and road maps. Just contact us at info@calibersecurity.com