How To Lead A Cybersecurity Team: Resources And Measures

(Note: this is the second post in a series. In the first post we discussed you working with your leadership. In this post we will cover you as a leader. Later we will discuss what talents leaders need.)

We've covered ground before about leading as a new CTO/CIO. We noted these leadership features at a macro level regarding leading a cybersecurity function:

Cybersecurity can only be effective in an environment where it is a shared responsibility:

• Cybersecurity is an enterprise function, it is not a subscription or a set of compliance rules or certificates
• Cybersecurity at the executive level is always about trust and trust requires relationship management, not technical wizardry -- you have a team of technical wizards
• Cybersecurity requires being comfortable both with delegation (who is responsible?) and with power-sharing (continually revising risk management plans in anticipation of new risks)

All well and good, you say. But...And...I understand that about leading a cybersecurity function -- how do I lead the cybersecurity team?

Let's start at the top. The point of being in your position is to answer the CEO's four questions: Are we focused on the right strategic imperatives? Are we operating our business effectively and efficiently? Are we optimizing our business model for competitive advantage? Do we have a plan for sustainable, profitable growth now and in the future? Presumably you will need a team to work these issues in terms of cybersecurity.

Our first observation is that hiring committees look for skills. You were hired for your individual contributor skills, probably as a cybersecurity engineer or in IT systems administration. 

As the head of IT or head of a cybersecurity program, you are going to be asked to work at things that are very different, specifically, coordinating the work of other individual contributors to protect what the organization values.

This will not be easy. As we have noted previously, while you were hired for your skills you will be fired for your personality, and giving off an aura of "I've got this!" or "Do it because I said so because I'm the boss!" is not going to make you popular when your systems are attacked. Don't think that being the CEO's niece or nephew will help you either: I have seen nieces and nephews get fired, and it's awkward.

Our second observation is that there is a science for this. We're going to give you a few resources. We at Pythia Cyberscurity can further refer you to the top experts in the world on these functions. Take advantage of our connections.

But first: whatever else you do, do not confuse "taking a [four-letter name of pseudo-personality test omitted here]" or doing a "trust fall" as team-building. Or going bowling, or doing an 'escape room' event, etc. Let me be blunt: you will not be my friend anymore if you think those are team-building events. You will look dumb. I will sneer at you derisively. You will have wasted your money and be nowhere closer to having a team.

As for your team: just because people are on your team doesn't mean they are acting like a team. Some people are not team players. Everyone needs to know what you expect, how they contribute, and how they're doing. Until you actively turn them into a team and maintain team processes, they are simply a group.

And now, resources.

Books:

If you want to get a science-based book on the subject that is not selling anything, check out this one by Scott Tannenbaum and Eduardo Salas. You will need help implementing these concepts, but Tannenbaum and Salas have summarized processes that work based on the history of team research into one book and it's very good.

If you have difficulty providing effective feedback -- most leaders, if not all, have this problem -- you should check out a new book by our friend Ken Nowack (with Sandra Mishihi). While we know a lot of excellent coaches and would be glad to recommend them (contact us!), Sandra and Ken are outstanding people in addition to being extraordinary psychologists.

Measures:

If you want to work through an empirical model of teamwork, check out our friend Gordon Curphy's Rocket Model. Gordy's model covers eight teamwork aspects including measures of perceived mission, resources, motivations, track record of delivering results, talent, norms, and the team's approach to managing conflict. It is the only empirical assessment developed specifically and solely to measure teamwork.

If you want to have an employee attitude survey-based approach, you can use Gallup's Q12. This survey is not focused per se on teamwork but instead gives the leader (i.e. you) a sense of how that leader is creating engagement. In contrast, the Rocket Model will assess what the team is doing behaviorally. Don't confuse these two measures; they're telling you very different things.

Bonus: we know people who do "employee listening" work, such as a our friend, the super-cool Emily Killham. Think of employee listening as ongoing employee attitude surveying with action planning and outcome monitoring. Again, different goal than something such as the Rocket Model.

We at Pythia Cybersecurity have our customized Behavioral Analysis of Risks to Cybersecurity (BARC). The BARC is specifically developed to assess team and organizational functions related to cybersecurity, whereas the other materials we've discussed cover aspects of teamwork or engagement in general.

These are different approaches and tools, each with their strengths and limitations. 

You must take team-building seriously. Because there are different approaches and different tools, you need an expert to help you decide on what's best for you and your situation. Ask us how we can help you work through your team development and leadership needs. The worst that can happen is that you'll become a better leader.