It’s easy for cybersecurity leaders to get caught up on the day-to-day of making sure teams are delivering and risks are being managed that the opportunity to prepare those same professionals to become the next generation of leaders is missed.
But with cybersecurity now firmly positioned as a business-critical function, more CISOs are starting to turn their attention to developing future leaders. While many CISOs came up through the ranks learning on the fly, leaders today are taking on a more intentional and often personal approach to training tomorrow’s leadership pipeline.
“I think there is a point in your career as a leader where it is healthy to hit the pause button and really reflect on your lessons,” says Yassir Abousselham, founder of Silicon Valley Cyber and former CISO at Splunk and Okta. “But also start to inquire with your peers about their own lessons.”
Abousselham explains how much of his own leadership experience was shaped by learning on the job, learning from mistakes, and observing what worked and what didn’t. He points out that while there’s plenty of technical training programs in cybersecurity, few focus on helping cybersecurity professionals transition into leadership.
But even with experience, he stresses there’s an “art” to developing the leadership skills of others. Abousselham says CISOs need to be deliberate about nurturing leadership in their teams, and to do so fairly. “You need to make sure you’re cultivating and investing in the growth of every member of the team, without showing up as favoring one specific team member,” he says.
He explains that process starts with mapping a team member’s strengths and identifying areas for growth across a range of skills. He highlights the importance of scheduling regular one-on-one sessions with team members focused solely on career planning and professional growth.
In one case, he mentored a leader who struggled with public speaking. Instead of avoiding the issue, Abousselham made it a personal challenge to help him grow, gradually increasing his exposure to speaking opportunities, offering frameworks for structuring ideas, and guiding him in how to approach an audience.
“Part of it is trying to push the limits and not taking ‘no’ for an answer,” he says. “If you see that a skill is extremely important for the growth of a leader, then make it a priority. Put a target around it to make sure that they continue progressing on that skill.”
Bring structure to leadership pathways
While Abousselham champions a personalized, hands-on approach to developing talent, other CISOs are building more formal pathways to support emerging leaders at scale. For others like PayPal CISO Shaun Khalfan, structured development was always part of his career. He participated in formal leadership training programs offered by the Department of Defense and those run by the American Council for Technology. He now applies those insights to building PayPal’s cyber talent pipeline, with a particular focus on developing female and mid-career leaders, supported by a mix of formal and informal internal programs.
“How do we ensure that we’re creating avenues and opportunities to develop female leaders throughout organizations … and coaching them on how to use their voice,” Khalfan says.
Khalfan believes leadership development must reflect the reality of modern cybersecurity, where technical credibility is no longer enough. He points out that security leaders must now engage with all parts of the business, including at the board level.
“I would submit that, especially in cybersecurity, which for many years was seen as a back-office, technical engineering function, it’s only recently that the CISO has become a business risk leader,” he says. “Cybersecurity is now one of the top three risks for most companies, it’s no longer just about engineering or governance and risk. It’s risk across the company, and it requires working closely with business partners … which has necessitated the need for proper [leadership] training.”
Structured development is also happening inside companies like the insurance brokerage firm Brown & Brown. CISO Barry Hensley supports an internal cohort program designed to identify and grow emerging leaders early in their careers. “We look at our – I’m going to call it newer or younger – employees,” he explains. “And if you become recognized in your first, second, or third year as having the potential to [become a leader], you get put in a program,” he explains.
The program, according to Hensley, brings together a cohort of 20 to 30 teammates who meet monthly with the CEO, work on real-world business problems, and receive mentorship from guest speakers. Participants also attend company events for professional development throughout the year. This in addition to other leadership development programs at Brown & Brown, including an enterprise leadership development program that is open to employees for enrolment and other nominated-based programs.
Leading versus managing
A former US Army officer, Hensley sees leadership development not just to build continuity, but as a reflection of organizational health. “I look forward to the day that somebody fills my shoes,” he says. “You know you’re successful when you’ve worked yourself out of a job.”
He believes great leaders are shaped by the people they surround themselves with and by having strong role models early in their careers. “I tell people all the time that you ought to be invited and be inspired by the people you work with and for, and you ultimately ought to get an understanding of the type of leader you want to be and the type of people you want to work with based on role models you have.”
For Hensley, there’s a distinct difference between good leadership and management. He says a leader “inspires and motivates” while a manager focuses on accomplishing tasks to drive efficiency and scale, and don’t often take the time to become effective leaders.
“A manager does not often get invited to a special moment of a teammate’s life, for example, a wedding or graduation, but if they’re a leader, the teammate would be honored if they could participate in the memorable event as their sincerity is true,” he says.
Run human-focused programs
At Ouellette & Associates, leadership programs are tailored to building the “human side” of technology, with a specific focus on developing skills such as business acumen, client orientation, and collaboration.
One of the flagship offerings is Cybersecurity Leadership Experience (CyberLX), a nine-month program which includes one-on-one mentoring by a CISO or senior cyber leader outside of their organization. It also features interactive workshops and a capstone project to apply learnings in practice.
For Kath Marston, executive director of technology leadership practices at Ouellette & Associates, the business case for investing in leadership development is clear. She warns organizations that fail to develop their people risk losing them, especially in a sector where change is constant and skill sets evolve quickly.
“It’s a big playing field out there right now. To attract talent is one thing. To invest in your talent and grow them is another, and that’s how you’ll have longevity in an organization,” she says. “Many organizations attract the talent, but they lose them because they don’t grow their people. Skill sets change, our world changes constantly, we’re always innovating, always dealing with complex environments, so we have to be ready for what’s the competitive advantage.”
That readiness, Marston argues, is directly tied to leadership. “We’re always looking for the next cybersecurity or IT leader to become the next CISO or CIO and we’ve got to grow them to get there.”
Still, even well-meaning organizations can struggle to train their cyber professionals fast enough. As Ouellette & Associates director of leadership programs Jill Lundy explains, the challenge isn’t always a lack of investment. “It’s just that the time needed hasn’t necessarily been put aside, and they can’t move as quickly as they would like to get everyone up to speed.”
Spotting a future leader
Identifying leadership potential isn’t about a linear checklist, however, it’s about range, according to Khalfan. “Do they understand how the cyber engineering controls and the bits and bytes of code scanning or building secure products translate back to risk?” he asks. “And can you articulate that? Can you oscillate between technical speak and business speak?”
Khalfan believes good CISOs should be able to dive deep with engineers while also leading boardroom conversations. “It’s been a long time since I’ve written code,” he says, “but I at least understand how to have a deep conversation and also be able to have a board discussion with someone.”
Abousselham agrees that technical experience is only one part of the puzzle. He’s more focused on whether someone is ready and willing to step up to taking on a leadership role.
“Our responsibility as leaders who had the opportunity to actually serve in these roles is to share,” Abousselham says. “It’s to take time from our busy days to reflect on our lessons, share publicly at scale, and help the newer generation. It’s the right thing to do to help the next generation of cyber leaders.”
No Responses