Technical Incredibility

At Pythia Cyber we understand that cybersecurity is a matter of technology and practice. In other words, you need to have the right technology to shield you but that is not enough: you need to avoid the wrong user behavior. As we like to say, eventually bad behavior beats good technology.

This means that good cybersecurity requires good leadership. Good leaders are not easy to find, but you can find them if you try, especially if you are willing to help people grow into leadership positions.

But alas! Cybersecurity is unlike most other domains: you do not need to be a domain expert, but you must be credible to domain experts. We understand that, in theory, some people are such great leaders that they could "lead anyone in anything" but we are not all sanguine about this idea being apply to cybersecurity.

The reason for our lack of faith is this: the people you lead must believe that you can lead them. Even if you could lead them, if they do not believe that you can lead them then you are unlikely to lead them well. The extent to which a group of people believe that you can lead them defines your credibility in this arena.

In my experience, there are two paths to credibility and one path to getting the job first and establishing credibility later:

1. a track record of success leading groups in similar endeavors;
2. a track record of success in the particular field;
3. a track record leading a unit or units in an unrelated field.

In the first case your candidate has already done essentially this job before, so you are confident that they can do this job now. Either promoting someone who was a great second-in-command or hiring someone who did this already are the common scenarios. This is a pretty good bet, although leading is tricky and at least as much art as science, so there are no guarantees. In either scenario the candidates technical credibility is well-established: they clearly know what they are talking about, at least to an acceptable degree, and their leadership skills are well-documented. This case is the most comforting to those doing the hiring, so this is the case everyone chases, sometimes resulting in a shocking incestuous pool of candidates pursued by a large number of organizations in whatever industry. The CISO merry-go-round if you will.

In the second case your candidate has already demonstrated superior ability to do the work, so you are gambling that they can grow into a leader. This is a surprising common gamble: excellence at doing the work really does not correlate well with excellence in leading others to do the work. This case sometimes reveals overconfidence on the part of the people doing the hiring: those people fear the domain (technology) and overestimate their ability to train people in the role (leader).The problem with this scenario is that, at best, you lose a star technical contributor and at worse you lose a star technical contributor but do not gain a technical leader. The CISO lottery, if you will.

In the third case your candidate has already demonstrated that they are a good executive: both a worthy peer and a leader people will follow, so you are gambling that they can pick up enough domain expertise to lead effectively. Given the dearth of ideal candidates in the market and the dearth of idea candidates in the organization, this is where many organizations end up.

This dynamic between technical chops and leadership chops is why Pythia Cyber bangs on about technical leader so much: people keep needing to make technical leaders out of good executives who are not technologists or good technologists who are not leaders.

Why doesn't this situation tend to resolve itself? Why isn't either option going to (eventually) result in a good technical leader? The short answer is simple: because people do not tend to try to get better at what they are bad at, people tend to try to get better at what they are already good at. The long answer is actually two long answers, one for each option.

Strong Exec, Weak Technologist

The strong executive who knows little or nothing of what it is like to actually configure, deploy, monitor and support technology in the field is going to have a hard time leading a technology group. The reason for this difficulty is what we mean by "technical credibility"--or lack of it.

In theory, a great leader does not need to know anything about the tasks done by the people they oversee. As is so often the case in human endeavors, this is plausible only when things are going well. It does not require much technological expertise to nod sagely as milestones are reached and budgets respected and success piled on top of success. The other side of the coin is problem: when things start to go wrong it is harder to just believe whatever your team is telling you and mindlessly pass along whatever explanation they give you. As a technical leader, you are expected to provide direction and encouragement and some perspective. All of these expectations are difficult to meet if you are essentially ignorant of the domain.

Why do I say that? In a still-painful example from my own life, I played basketball in high school. Our coach knew nothing of basketball; he had almost been a professional soccer player. He knew an awful lot about soccer. He was, I was told, a superior soccer coach. This did not translate into being a great basketball coach. The moment when this became clear me was while I was on the court during a close game that we were losing, in part because of our opponent's highly disciplined defense. We could not find good opportunities to shoot. As the team's ball handler, I was running yet another attack on their well-defended basket, trying to find an open teammate with a clear shot, when I heard our coach call to me from the sideline: "Score!" he shouted. Yes, I thought, that is the desired outcome. I did not feel inspired. I did not feel well-led. I felt frustrated and annoyed. A timeout and a passing play would have been useful. An empty exhortation was not useful.

Note that I am not saying things would have been better if the coach had formerly been a star basketball player. I am saying that things would have been better if the coach had actually been a good coach. Yes, if my teammates and I had been better players, better athletes, better competitors then better coaching might not have been needed. But every team eventually runs into trouble. Hoping that you team never needs leadership is not a viable strategy in any kind of human endeavor.

You need to be credible to your team because at some point leading them is going to require that you tell them what to do. Asking them what they need to do and then reflecting that back to them can work, but it REALLY helps if you can do some of the evaluating of options. Otherwise people begin to wonder why you are getting paid more then they are since you don't seem to add anything to the mix.

Strong Technologist, Weak Exec

The polar opposite is not great either. Having an intimate knowledge of what needs to be done, but not being able to do it yourself, mostly makes for a frustrated leader and a demoralized team. However you pretend otherwise, the message this sends is "I should be doing this myself, but I am forced to watch you do it and do it worse than I would have."

Having a technical whiz lead a team means that you have someone to come to when you are stuck, which is great. But what about every other moment of the day? One hopes your team is not constantly mired in dismay and confusion, awaiting rescue. One hopes that your team spends most of its time working steadily toward reasonable goals, which goals add up to the milestones that the company needs to reach. Someone needs to set up that steady march and then oversee it.

You need to be a good executive in order to run a business unit because running a business unit is as much about being a member of the management team as it is about being the leader of your unit. And all that management team membership matters. It is unlikely that even a successful technical contributor was well-trained in the fine art of being senior management. You can hope that they have a natural gift for this, or that learning by trail-and-error does not end in disaster before it yields a great technical leader. But why take that chance?

50% Credibility, 50% Management Ability

Wherever your candidate starts, you want them to end up both technically credible and adept at management. You want their direct reports to feel comfortable telling them bad news and asking for input and advice. You want their peers to feel comfortable that the IT and Cybersecurity functions are effective and cost-effective.

If you can hire the exact right person for the job, good for you (except that the ideal candidate not might stay very long if that ideal candidate hopes to grow and advance).

Otherwise, you will need to hire your best option and then support that new hire's quest to be a great technical leader. Do you wish that there was someone to help you make the choice and then support the transition? There is: Pythia Cyber. Technical leadership is our one and only focus.