Want Better Cyber Pros? Focus on Foundations

It’s a little over five minutes into the movie Master and Commander: The Far Side of the World. 

• The HMS Surprise is sailing through fog while searching for its nemesis, the French privateer ship Acheron, the most advanced naval technology at the time. 

• A seaman up in the sails calls out to the officer of the watch, Midshipman Hollom, that he hears what he thinks is a bell. Hollom peers through the fog with his looking glass. He thinks he briefly sees something, but he’s not sure. He’s not sure at all.

• Able Seaman Doudle joins him at the bow of the ship. Hollom is concerned. He’s hesitating. Even with the crew of the Surprise gathering around him, he lacks the confidence to act. 

• Instead, Doudle alerts the ship to quarters, and the ship erupts into activity. 

• Captain Aubrey joins them on the bow. He reassures them alerting the ship to combat readiness was the right thing to do, just before the enemy ship begins to fire.

This could as well have been a security operations center (SOC) at 2 a.m.

Preparation, decisiveness, mental agility, a culture of trust: these are some of the things that make the difference between damage and cataclysm. Cybersecurity is information technology (IT) with a bad guy, a thinking adversary with intention, capabilities, and techniques. How effectively our people can observe, orient, decide, and act in concert with their leadership and each other determines whether our organization will be in the newspaper and, if so, on what page.

In my last article, I introduced the Cyber Success Vector™. Today, we look at the foundation of a cyber professional’s breadth: their core professional attributes.

What led up to making Hollom the professional he was? Did anyone identify the weaknesses that led up to the scene above, and if so, what was done about it? And what about Captain Aubrey? What enabled him to work within the uncertainty of the moment and establish trust and confidence? 

Core Professional Attributes

In my first installment of this series, I asserted that leadership qualities must be instilled throughout the cybersecurity and the broader IT sector. This includes individual contributors like Doudle, or a young SOC analyst at 2 a.m. This will help the professional deal with the uncertainties of cybersecurity risk, as well as to act synergistically in a high-functioning team.

Through reviewing various works, I identified several foundational attributes. It’s a starter set, but one that reflects several common themes I found in the literature and my own experience. 

The following is a sample of these attributes (not the complete list).

Personal Attributes

Author Stephen Covey proposed that getting one’s own house in order supports one’s effectiveness in dealing with others. However, in today’s workplace, I’ve found an aversion to discussing what makes the person who they are. This does the professional—and the organization—a disservice. As the person moves up, shortcomings will cause an increasingly significant impact. Grumblings around the water cooler will cascade, hamstringing the best of leadership intentions. A cybersecurity organization simply can’t afford that.

• Example: Integrity and ethics must top the list. The professional must communicate and act according to objective truths. They must act within laws, regulations, codes of conduct, and accepted social mores. Subordinates need to know their leaders are making decisions in the best interest of the organization, and not simply in their own interests. Data to be handed over to legal or law enforcement must be preserved by individuals who understand and operate within their legal limitations.

• What it’s not: a pedantic, inflexible approach that gives cybersecurity the reputation of “putting the ‘no’ in ‘innovation’”.

Interpersonal Attributes

Yes, I’m going to use the word “synergy” in this article, too. The American Heritage Dictionary of the English Language defines it as “the interaction of two or more agents or forces so that their combined effect is greater than the sum of their individual effects”. 

• Example: Communication and candor is key to synergy. Threat actors are communicating all the time. When defenders can bring up issues and opportunities effectively, the organization becomes a collection of minds working through the problem. Often, team members may surface solutions they saw at a previous organization or that they identified via a fresh set of eyes. If they know how to deliver their ideas constructively and impactfully, that communication becomes a benefit and not simply a management headache.

• What it’s not: inappropriateness or excessive bluntness, which may have the opposite effect.

Professional Leadership

We’re in this business to achieve results: reducing risk for our organization. An individual needs individual and group leadership attributes to achieve those professional results.

• Example: Execution and results orientation means the individual is able to deliver successful outcomes when they are needed. A common mantra is “plan your work and work your plan”. Many organizations can become mired in so-called “analysis paralysis”, where the problem is admired to the point of wastefulness. It’s time to produce results. When care has been taken, preparation must be converted into success at the point of execution.

• What it’s not: prioritizing busy work (except as directed). Often, an employee can be so focused on churning out completed tasks that a lot of heat is generated, but not much food is cooked.

Wrapping Up

• In cybersecurity, as in other technical fields, we often lead masters in technical skills. However, much leadership time will be devoted to dealing with insufficient fundamentals. 

• Investing in the fundamentals will build synergy, which pays dividends. 

• As the professional moves up, their challenges can be lessened by development earlier in their careers. If we don’t, like in the case of midshipman Hollum, others may pay the price.

Order the book, The Total Pro: Future-Ready Cyber Talent Through the Cyber

Success Vector™.

Read the other installments in this series at The Cyber Success Vector™ Article Series.

© 2024 GrayVector LLC, all rights reserved.

Cyber Success Vector is a trademark of GrayVector LLC. All rights reserved.

The preceding work contains the opinions of the author, and do not represent those of any other person or organization.

References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by GrayVector, LLC, or the author.

NO WARRANTY. THIS MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. GRAYVECTOR, LLC, AND THE AUTHOR MAKE NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. GRAYVECTOR, LLC, AND THE THE AUTHOR DO NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.