A tale of two industries
The United States Navy takes 18-year-olds fresh out of high school and trains them to operate nuclear reactors in 18 months. These aren’t college graduates. They’re not experienced professionals. They’re young people with the right potential who go through the most rigorous, structured program in the military that transforms them into personnel trusted with some of the highest-stakes responsibilities imaginable.
Meanwhile, in cybersecurity, we claim we can’t find qualified people.
We claim there’s a talent shortage, that candidates just don’t have the skills we need. We look for unicorns, saying training takes too long. We constantly search for senior professionals who, we say, will “hit the ground running,” while junior candidates watch their growth opportunities evaporate.
The problem isn’t the candidates. The problem is leaders who won’t take ownership of building the teams that we need and won’t follow through on development. This is leadership that chooses the path of least resistance instead of doing the hard work of creating foundations for success.
How do I know this? I was one of those nuclear reactor operators for 22 years. Now I work in cybersecurity. If we can train nuclear reactor operators from scratch, we can train security analysts. We’re just choosing not to.
But refusing to train candidates is just one symptom of the deeper disease. Across the technology fields, we’re seeing a pattern of leadership failures that all share a common thread: lack of accountability and ownership. Leaders who only conduct surface-level analyses instead of finding real root causes. Leaders who stay disconnected from their teams while technical debt accumulates into genuine security risks. Leaders who avoid hard conversations with the business because they simply don’t know how to frame cybersecurity as a risk reduction mechanism or as anything more than a cost center.
The accountability gap
When leaders don’t take ownership, it shows up in predictable ways. Some are obvious, like teams that have a high turnover rate, projects that never finish or the same problems recurring month after month, year after year. Others, like technical debt, are far more insidious. Technical debt accumulates until it becomes a critical vulnerability, and until the interest you’re paying to keep the business running somewhat smoothly is more work than the normal operational work you do. Technical debt is also its own form of risk. It presents itself in vulnerabilities and in customer churn when all of those manual processes break as someone on your team exits the business. Finally, root cause analysis that stops at comfortable answers instead of hard truths is another huge sign. Let’s be honest about what leadership failure looks like today.
Surface-level root cause analysis
The incident happens. The post-mortem gets scheduled. The team gathers, reviews a timeline that isn’t quite right, but good enough, and they all toss out some contributing factors. A report gets written. Everyone acknowledges the corrective actions. And then nothing happens. A research paper published in Computers & Security states that researchers “found little evidence of thorough investigations to find the underlying causes.”
Then a similar incident happens again.
Real root cause analysis is hard. It requires asking “why” until you’re uncomfortable with the answers — the truths — about processes that don’t work, decisions that seemed reasonable at the time and assumptions that were wrong. It requires being willing to discover that you, as a leader, contributed to the problem through your action or inaction.
Surface-level analysis stops at the first convenient answer and never addresses the real why. But the cost of stopping too early is being actively measured in recurring incidents, customer churn and team demoralization, which contributes to team turnover as well. When the same types of problems keep happening, your team learns a lesson: leadership doesn’t actually want to fix things. They want to be seen going through the motions. Taking ownership means following the chain of causality until you find something you can actually fix, and then fixing it. That’s accountability.
The perfect hire fallacy
The Navy’s Nuclear Propulsion Program takes 18-year-olds with the right aptitudes and trains them to operate nuclear reactors in all corners of the globe in 18 months. These aren’t college graduates, and these aren’t people with years of experience. Just the right attitude and aptitude in someone, placed into a rigorous, structured training program that transforms them.
The program builds talent, but meanwhile, in cybersecurity and information technology, we claim we need someone with five years of experience in a technology that’s only been around for five. We ask for security analysts who are also developers and who understand compliance frameworks.
This is laziness disguised as pragmatism. In fact, less than a quarter of respondents to a recent survey of cybersecurity professionals believe that management actively tries to reduce their stress. Half reported that senior management adds to their stress.
We’re avoiding the truth that training people requires leadership effort. It requires creating structured learning paths, providing mentorship, investing time in developing capabilities. It requires true engagement in people’s growth instead of just assigning tasks. It’s hard work, and many leaders simply don’t want to do it.
So instead, we hunt for unicorns, wondering why our teams never stabilize, and why talented people decide to leave the field entirely when they realize there’s no path forward for them.
Technical debt as leadership failures
Every technology leader has a mental list of technical debt. Systems that need updating or configurations that need to be hardened. Monitoring gaps that need to be closed. We know that all of these exist — in fact, we document them and track them in our project management tools.
And then we don’t demand the time to fix them.
We tell ourselves the business doesn’t understand, it’s budget constraints or we’ll get to it next quarter. What we’re really doing is failing to translate technical debt into business risk in a way that demands action.
The uncomfortable truth is that we’re not demanding that technical debt be addressed as part of product development cycles because that would require hard conversations. Conversations where we tell business stakeholders that moving fast now will mean paying a higher price later. Conversations where we advocate for investment in things that don’t create visible new features.
These conversations are part of our job. When we don’t have them — when we accept the accumulation of more and more manual tasks to keep things running that should’ve been automated multiple sprints past – then we’re choosing short-term comfort over our actual responsibility to the business.
Why this happens
These patterns don’t just happen by accident. If they did, we wouldn’t see them in so many places. They happen because of choices — choices individual leaders make, choices organizations make about how they develop (or don’t develop) their leaders, and choices businesses make about how they treat their security functions.
Let’s start with the uncomfortable truth that we don’t have any real leadership training in the industry. We promote technical people into management roles and expect them to figure out leadership on their own. Then, we act surprised when these newly minted leaders manage the way they were managed — or worse, when they don’t manage at all.
Other professions do invest in their leadership. Healthcare has residencies and fellowships that teach leadership roles. Business schools teach management principles. But in our industry, we throw people into the roles and hope they figure it out.
Lack of training doesn’t fully explain the problem, however. There’s an individual component at stake. The fundamentals of good leadership aren’t mysterious: follow through on commitments, dig deep to understand root causes, stay engaged with your team and have hard conversations when necessary. These aren’t advanced concepts requiring an MBA. They’re basic accountability and ownership.
Many leaders know this is what they should be doing. They’re choosing not to do it because it’s hard. It’s easier to hire than to train, and it’s easier to accept surface-level answers than to keep asking why until you get to those uncomfortable truths. The path of least resistance is the road well-travelled, unfortunately.
Finally, the third piece to this puzzle, the dilemma we face, is a systemic failure of business leadership to also do its own introspection. Why does the business have high churn, both with customers and within teams? Are we setting people up for failure? Do we create conditions where good leadership is possible?
The result of all three of these factors is a self-fulfilling prophecy where we make people into managers with no training, and then they may make it into business leadership, still not understanding how to look at things like technical debt because their leaders didn’t make it seem important to them either. This causes teams to burn out, simply because the fundamentals of good leadership aren’t being practiced.
This isn’t all a sad story, however. Choices can be changed. But only if we’re willing to be honest about what we’re choosing and why. Leadership accountability isn’t complicated – it just requires choosing to do the work.
The teams we could build
Imagine cybersecurity teams where people want to stay and grow. Where junior analysts see clear paths to becoming senior practitioners. Where the same problems don’t recur because leaders actually implement fixes. Where technical debt gets addressed because leaders translate it into business risk that demands action. When these things happen, success compounds because you’re building on solid foundations instead of starting over.
These teams do exist. They’re led by people who take ownership. The talent is there. The knowledge of what good leadership requires is there. What’s needed is simply the choice to do it.
We don’t have a talent shortage in our industry. We have a leadership accountability gap. And unlike the talent market, that’s something we can actually control.
The foundational problem has a foundational solution: take ownership. Follow through. Build people. Have the hard conversations. Do the work.
The teams and the culture that we all want are waiting on the other side of that choice.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses