Three Perspectives On Your Second Leadership Job

Every CTO and CISO knows the first job: defend the organization. Fewer recognize they have a second job that matters even more over time: build a team whose adaptive capacity outpaces the adversary’s rate of novelty. 

As AI enables attackers to scale speed, variation, and deception, that second job is quickly becoming the first. This is not primarily a tooling problem -- it is a leadership problem.

Here are three perspectives on that second job.

What great CISOs actually build

Phil Venables, former Goldman CISO and now Google Cloud's strategic security advisor, has spent years studying what he calls "CISO factories": organizations that produce a disproportionate number of successful security leaders. His finding is counterintuitive. It's not training programs, certifications, or formal development tracks, it's the daily behavior of the existing leaders: they pay attention to detail, they go deep occasionally, they validate things personally, they understand how the business, technology, and organization actually work. That behavior propagates. The leaders who come up under them inherit those instincts almost automatically because close observation is one of the oldest forms of human learning. In turn their teams inherit adaptive capacity through sustained proximity to someone doing it well.

Why that matters more as the environment gets noisier

Gary Klein, the dean of naturalistic decision-making, is often reduced to his Recognition-Primed Decision model: experts match patterns fast. His later work is actually more relevant to cyber leadership today. His Data/Frame model describes what experts do when the patterns don't fit: they construct new frames from ambiguous data, test them, revise them, and sometimes abandon them entirely. This is sensemaking, not pattern-matching. It's what great responders do when the attack doesn't look like anything in the library. Klein's point for leaders is sharp: you can't install sensemaking with slide decks. It develops in the company of people already doing it, exactly Venables' CISO factory restated in cognitive science terms.

The leader's specific cognitive job

Brett Steenbarger's work on elite trading adds the third perspective. His core insight for leaders: your job isn't to run the best playbook, it's to know which playbook the current environment requires and to recognize when conditions have shifted enough that no existing playbook fits. He calls those "metarules" (more about that another time). His most practical observation is that frustration is information. When your team starts feeling like they're fighting their own processes, the likely diagnosis isn't morale or discipline. It's that the environment has moved underneath the standard playbook and nobody has noticed yet. The leader who hears frustration as a performance problem misses the early warning. The leader who hears it as environmental signal gets ahead.

What this means for cyber leaders

Three shifts will matter for leaders who want to remain successful in that second job.

Lead in proximity, not in abstraction. Your team's adaptive capacity is a direct function of how much time they spend watching you diagnose a weird incident, challenge an assumption, or refuse a comfortable answer. Calendar reality, which is what you spend your time on, matters more than org-chart reality.

Treat pattern failure as the real signal. The moment your team's established playbooks start producing more near-misses, more "that shouldn't have worked," more unexplained quiet, that's the environment telling you the rules have shifted. Most leaders read this as execution decay. The best ones read it as the adversary's pattern library updating faster than theirs.

Build sensemaking rhythms, not just response rhythms. Most cyber orgs have rhythms for executing the playbook. Far fewer have rhythms for questioning whether the playbook still fits. A standing 30-minute session where someone presents an incident, anomaly, or near-miss that didn't match the frame, and the team reconstructs what the right frame would have been, is cheap, high-leverage, and almost nobody does it.

Your second job is your next first job

Your first job as a leader is defending the organization with the capabilities your team has today. Your second job is building the cognitive capacity for the capabilities your team will need when today’s playbooks stop working. In stable environments, that second job can remain secondary. In environments defined by accelerating novelty, it becomes the work. The leaders who recognize that early are the ones whose teams keep adapting while others plateau.

Ask us how we can help you build a cyber leadership approach that anticipates rather than merely reacts.

(image credit: image hunter, https://www.pexels.com/@image-hunter-281453274/)