Interview: The role of curiosity in security leadership

How it helped one CISO shape his security strategy

Interview: The role of curiosity in security leadership

An inquisitive nature can navigate and mitigate the challenges of modern cybersecurity.

You sit down to learn the intricacies of yet another new tool, but it's based on a technology you're not familiar with. You reach out to your colleagues, and there's nobody available to help.

If that sounds familiar, you probably work in cybersecurity - where automation is high, alerts are constant and, ironically, there aren't enough people to handle either.

James Packer, who has just left his post as head of information security at EF Education First, says he had to take on people who require "investment, training and development" to get them to an appropriate level.

Image
Figure image
Description
James Packer

"A lot more of my time, in years gone by, has been spent working with and enabling and supporting the team than it has actually being a security practitioner."

James worked hard to understand how best to handle learning and development for everyone on his team - both to help them and to free up his own time.

The breakthrough, he says, was realising that "learners have to have the freedom of choice to own their learning journey... If you try to push things on people that they're not gravitating towards, that is not going to work, they're going to end up very unhappy."

That doesn't mean new starters should completely guide their own training, but as a manager you need to be aware of how each person learns. Some might get value out of a formal classroom-style; others will respond better to networking and self-development.

"I provided my team the whole spectrum of ‘here's the formal training path, if you want it for your role. These are the types of certifications and learning journeys that are normal.' Not, ‘these are the ones you have to follow', but ‘These are the normal ones', to help provide them some guidance.

"If they want to go down a formal route, they want to book an exam, they want to do a training course, great, let's follow that and let's do it. But at the same time, if they don't learn that way, provide them easy access, low friction ways to learn."

James cites examples. Sites and apps like Discord and Reddit can help junior staff learn from each other, without touching your security budget. On-demand platforms, where new starters can access written and video tutorials when they need it, can also be useful.

"That is true on the job learning," he says.

Worldwide recruitment

In an international business like EF, recruiting and managing cybersecurity staff in the first place can prove challenging, though.

"The team spans across four continents... You can't always get to the real aspirations, the attitude of a professional, when you're doing remote interviewing. It's [also] difficult to manage people remotely - face-to-face time is very important."

James changes his interview approach depending on both the role and the market. Is the person he's interviewing going to be in a relationship-builder position, or are they going to be more analytical? If it's the former then a face-to-face interview is more appropriate, but for the latter a remote meeting is probably fine - with tasks and exercises as part of the process.

Similarly, where are they based and where will they be working? Is labour supply in the country very tight, like the USA, or are there plenty of people to fill technical roles, like India? What is important to security professionals in that market? What are the typical benefits?

"You need to focus on the key skills that are the most important and augment your interview process to be able to really get that information."

Disruptive changes

Recruitment and retention aren't the only challenges facing the IT market. The other major obstacle is "responsiveness to new trends and new technologies," which James identifies as "disruptive."

Although careful to avoid buzzwords it's clear that there's one particular technology on his mind - but it would be a mistake to fixate on just one and ignore other new developments. Doing so risks blind spots.

These two hurdles - hiring and new technologies - play into each other. Fully staffed teams are better able to respond to threats, while understaffed units are likely to lack knowledge.

"The ability to understand the situation and react in the best interest of the organisation, quickly, is difficult when the landscape is quite so diverse."

The key, according to James, is to "lean in."

"You can't be an expert in every single thing, but you've got to be curious," he says, warning against "burying your head in the sand" and waiting for someone else to say, "This is the right approach." Doing so risks "missing an opportunity, because all of these disruptive technologies and trends are opportunities."

Too many security practitioners see new developments only in terms of threats and risks to be guarded against, instead of something they can use to their advantage. "Not just its advantage to you as a security function: the advantage to the business, and how by leaning into it as a business function, you're showing that you're relevant."

You don't need to understand every new development at the level of a forensic scientist, but at least have some awareness about it and how it could impact your team, and company, in the future. Ask questions. Think about governance, and a centre of excellence. Even better, identify a team to get involved.

"Be willing to lean in from a responsibilities point of view and say, ‘I'm being a responsible business function,' by asking these right questions and encouraging action that is proportionate and relevant for the business."

At the end of the day, 'ask questions' is good advice, whether you work in cybersecurity or not.