Leading Means Doing

Phil Venables' new post, Do you really know what's going on?, caught our attention from the start (quoting at length):

Most leaders do not know the actual truth of what is happening. This is not because people are overtly hiding things or that leaders are ineffective, although sometimes it is both of those, but rather this is because of the “thermocline of truth” that I covered in this post. Organizations are full of cultural, structural, process, and other barriers that stop reality making its way to leadership. 

When you started out in your career you probably felt constant frustration that the “higher ups” had no clue about reality on the ground. Even today, you probably feel frustrated that peers in other organizations are clueless to the reality you know, or even in many cases that you know their teams know but are failing to push up to their leader. 

When you become progressively more senior it’s easy to forget this experience and get in a position where you believe you know everything because you sit in the project update meetings, the risk committees, or read the status reports and other summaries that have been carefully curated to please you. 

As Phil says and as we emphasize, leading means doing. Oh sure, checking logs is not in your job description and no you probably don't stand the watch in the SOC. And absolutely, "you sit in the project update meetings, the risk committees, or read the status reports and other summaries"...next words..."that have been carefully curated to please you."

Leadership is not for everyone. It's full of meetings, and dealing with non-technical people, and fighting for budgets, and politics, etc. 

You can burn out at all levels -- leader, manager, individual contributor. We'll discuss this another time but the key differences are in what burns you out and how you cope with it. As an individual contributor/cyber engineer you may find that the constant change, constant attacks, and constant monitoring (and incursions of AI) are wearing you out. As a leader, you may burn out on the nontechnical stuff.

None of that will change.

However, a very significant differentiator for leaders is that what you do creates the business culture expectations for your line of business. For example, what type of workplace do you want your people to have? What type of pace should they expect? Maybe, and this is kind of the dirty secret of business culture, the culture is shaped by the worst behavior that you permit.

Your culture is going to shape your people's expectations, and through expectations, their behavior. If they find out that you act as if you are detached, distant, someone who likes curated reports, then you will become someone who really doesn't know what's going on.

That's bad for security.

Phil sums it up:

"It’s vital for security, and risk management overall, that leaders ensure they are getting accurate and timely information about projects, issues, risks and that they create a culture, through deliberate action, that can bust through the thermocline of truth. A great way to do this is the personal experience of hitting the road and walking the halls of internal facilities, suppliers and customers. Personally experience your products and services pre- and post-release, not just external but all the things you inflict on your organization as well."

Ask us how you can lead from the floor.

(image credit: Viv Rolfe, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons)