A Security Leadership Creed
What makes a good Security Leader?
Certainly getting an award for security leadership is a dubious honor at best (if you must pay to get an award, do you deserve the award?). Being judged as a “good” leader is often left to the people who work near the leader — their boss, their team, their partners, their customers — most of whom don’t know enough about security to be a good judge of security leadership.
Is a good security leader one whose company has never succumbed to a security incident? Unlikely. In fact, the most respected leaders in the security industry often find themselves on the receiving end of a security event — it makes them better defenders and researchers.
Is a good security leader one who has great partnerships with stakeholders and other leaders? Yes — but this doesn’t mean there isn’t conflict, or disagreements, or tension. A security leader should be just that — a leader — not your best friend.
It would seem to me that that security leaders must judge for themselves whether they are a good leader, and that they must use a set of guiding principles that ring true for themselves, not others. Which got me thinking about what kinds of values are important to security leaders. So, as usual, I went to the socials and asked the question:
Some people were quick to remind me that some codes of conduct/ethics already exist. ISC2, for example, has a code of ethics that are required for anyone receiving a certification from them.
Honestly, I am more interested in the personal values respondents raised — it lets me know what their primary concerns are, and how they approach their role. Over a couple of weeks, people answered my question on LinkedIn, Twitter, and Mastodon — and as usual they were thought provoking. I grouped them as follows (sentences are verbatim):
- I will not propose technical solutions to management problems.
- Validate and verify your…