A Security Leadership Creed

Rules for Security Professionals To Live (and Die) By

Helen Patton


A brown gavel on a white surface
Photo by Tingey Injury Law Firm on Unsplash

What makes a good Security Leader?

Certainly getting an award for security leadership is a dubious honor at best (if you must pay to get an award, do you deserve the award?). Being judged as a “good” leader is often left to the people who work near the leader — their boss, their team, their partners, their customers — most of whom don’t know enough about security to be a good judge of security leadership.

Is a good security leader one whose company has never succumbed to a security incident? Unlikely. In fact, the most respected leaders in the security industry often find themselves on the receiving end of a security event — it makes them better defenders and researchers.

Is a good security leader one who has great partnerships with stakeholders and other leaders? Yes — but this doesn’t mean there isn’t conflict, or disagreements, or tension. A security leader should be just that — a leader — not your best friend.

It would seem to me that that security leaders must judge for themselves whether they are a good leader, and that they must use a set of guiding principles that ring true for themselves, not others. Which got me thinking about what kinds of values are important to security leaders. So, as usual, I went to the socials and asked the question:

Some people were quick to remind me that some codes of conduct/ethics already exist. ISC2, for example, has a code of ethics that are required for anyone receiving a certification from them.

Honestly, I am more interested in the personal values respondents raised — it lets me know what their primary concerns are, and how they approach their role. Over a couple of weeks, people answered my question on LinkedIn, Twitter, and Mastodon — and as usual they were thought provoking. I grouped them as follows (sentences are verbatim):

Security Actions:

  • I will not propose technical solutions to management problems.
  • Validate and verify your…



Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen or on Mastodon @cisohelen@infosec.exchange