CHAPTER 10
If you want to lift yourself up, lift up someone else.
— Booker T. Washington
Opportunity
In Chapter 6 – Cybersecurity: A Concern of the Business, Not Just IT, we briefly discuss addressing the cybersecurity skills gap in the context of the COSO principle of “Attract, Develop, and Retain Capable Individuals.” Cybersecurity professionals have specialized skills that are in short supply. Think about the following (in your best internal Liam Neeson voice) when dealing with an adversary that is holding your organization's technology environment for ransom:
I don't know who you are. I don't know what you want. If you're looking for ransom, I can tell you I don't have bitcoin…but what I do have are a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my server go now, that will be the end of it. I will not look for you, I will not pursue you…but if you don't, I will look for you, I will find you…and I will do whatever I can to work with the authorities to squash you.
I've always dreamed of doing that; however, let's get back to reality. The skills gap has driven a vigorous competition for talent, which forces organizations to tailor how they approach their cybersecurity staffing. They must ensure they have the right people in the right roles at the right time. Recruiting and developing cybersecurity professionals is an investment in time and money, and turnover is costly for any organization. Each employee departure costs about one-third of that employee's annual earnings, including expenses such as recruiter fees, temporary replacement workers, and lost productivity.1 Therefore, you must also focus on retaining capable individuals. It is often said that people leave managers, not companies. This chapter will dive into how to recruit “A-Players” by reviewing best practices for candidate screening and reference checks. This chapter will then review various leadership styles, such as transformational, servant, and adaptive leadership, to enable you to lead and retain a high-performing team to keep you from falling into the “people leave managers” category.
Principle
Cybersecurity leaders should assert that cybersecurity deserves to be on the same playing field as other departments such as operations, finance, or even general IT. Doing so involves retaining and leading a high-performance team. In this context, leadership refers to motivating others to achieve a common goal irrespective of reporting structure. Recruiting and developing high-performing teams is increasingly difficult and even more imperative now with the substantially remote workforce. Leadership is an art and not a hard skill like analyzing a PCAP or implementing a new SASE solution. I believe this is why leadership tends to be difficult for cybersecurity professionals. Cybersecurity often requires logical, analytical skill sets, but leadership is not always logical and analytical.
The reality is that the “‘soft stuff’ is what makes the ‘hard stuff’ possible.”2 Cybersecurity is only successful when people work as a team to enable the organization to achieve its strategic goals. Innovation only happens when people feel safe enough to risk vulnerability as they fail and learn. If people don't feel like they can contribute or are afraid to speak up, they lose their incentive to perform. Instead, they fail to apply their passion, talent, and intelligence until they can find another opportunity. Few things drag on team morale and performance more than dead weight. Leadership involves:
· Establishing a clear strategy
· Sharing the strategy
· Clearly communicating the “why” behind the strategy so that others follow willingly rather than simply comply with your formal authority
· Guiding, motivating, and enabling employees to achieve the goals of the strategy
· Persistence with the mundane, everyday tactics required to realize the strategy
Good leadership yields intrinsically motivated, engaged, loyal, and happy employees that consistently produce great results. To have a high-performing team, you must first recruit the right employees. Demonstrating leadership during the recruiting and interviewing process will increase your chances of finding the right employee for your organization. Effective leadership then allows you to keep those employees by elevating them, guiding them, investing in them in ways that are aligned with company outcomes, or creating room for work-life integration.
Honor people as whole individuals with a life outside the boundary of work. Take an active interest in their desires, wants, priorities, and personal lives. You may even frequently put their interests ahead of your own. We will explore several leadership styles throughout this chapter, but it is up to you to determine which is the best fit for you.
Recruiting High-Performing Teams – Topgrading
Recruiting and interviewing can be “noisy” if you do not know what your ideal candidate looks like, or if you cannot remove as much bias as possible from the hiring process. Daniel Kahneman, who if you remember we first referenced in Chapter 3 – Business Decisions when introducing decision science, says, “A general property of noise is that you can recognize and measure it while knowing nothing about the target or bias.”3 He and his co-authors go on to say that if all you know about a set of candidates is how they interviewed compared to each other, the chances that the top candidate will perform better are about 56 to 61%. A little better than flipping a coin, but would you leave an important hiring decision to chance? What if there was a way to identify through the core competencies and eliminate much of the bias? Kahneman advocates for structure, and we believe Dr. Brad Smart provides a framework that provides a structure that delivers results.
Brad Smart, who has a PhD in Organizational Psychology, observed early in his career that the standard one-hour interview process and aptitude tests only produced high performers 30% of the time. He developed a methodology called “Topgrading” that focuses on a more dynamic interview process than the standard question-and-answer formality to provide a comprehensive profile of a candidate's background and personality.
Topgrading involves a 12-step process, so consider it a rehab program for your recruiting and hiring practices. Important undertakings in this process include extensive interviews, detailed job scorecards, and having the candidate arrange reference interviews. Candidates are then categorized as “A-Players,” “B Players,” or “C Players.”4 An independent doctoral thesis at Georgia State University evaluated six different companies that employed Topgrading. The study evaluated six companies that made a total of about 1,000 new hires between them. Results of the study showed that the average “mis-hire” rate before Topgrading was 69.3%. After implementing Topgrading, however, the average mis-hire rate plummeted to 10.5%.5
Smart has written several books dedicated to Topgrading, and countless others reference it. I first learned about Topgrading while reading Scaling Up: How a Few Companies Make it…and Why the Rest Don't (Rockefeller Habits 2.0) by Verne Harnish. I will try to give Topgrading justice here by summarizing the 12 hiring steps. Suffice it to say, you should more thoroughly examine these references for a complete understanding.
Be forewarned, instituting this type of hiring methodology is not for those with a weak stomach. You don't need to be a Fortune 100 organization to institute some of the methodologies mentioned below, but you will need to partner with your HR and recruiting teams. Many of you reading this are already working with your HR teams to right-size cybersecurity job classifications and salaries for your respective markets. Leverage this same partnership to adjust recruiting practices.
Even if you cannot immediately establish a partnership with HR to adjust the organization's hiring practices, you can still implement many of the steps outlined below. You can create a job scorecard to share with candidates (step #2), seek out and encourage individuals from your networks to apply for your open positions (step #3), screen candidates against that job scorecard (step #4), and streamline the rest of the steps to fit the size and capacity of your team.
Before undertaking this endeavor, make sure it is right for your organization. For example, in today's market (2020/2021), a cloud security role is most likely to be filled by a millennial and our experience is that the average tenure of someone in that role is 18 to 24 months. That might just be the “cost of doing business” in the current market conditions. Topgrading is not a fast process, so you need to consider the lost opportunity of a vacant role for perhaps several months. How would this compare to a mis-hire in your organization? In a growth business with a ticking clock on the value, that cost of a mis-hire may be less than the cost of a no-hire. Our point? Topgrading is one perspective on hiring. Consider other perspectives on hiring and ensure that whatever approach you take aligns with your organization's overall strategic goals.
Step #1: Measure Your Baseline Success Hiring and Promoting People and Your Cost of Mis-Hires
We often focus on measuring metrics such as mean-time-to-detect, mean-time-to-recover, and adhering to patching SLAs, but have you measured your success in one of the most critical things you will ever do for your organization, which is selecting people? Many organizations only track the time and cost to fill jobs but do not measure the cost of a mis-hire. There are four key measures that you need to calculate and track:
· Baseline Hiring Success
· Baselining hiring success is a relatively straightforward calculation. Rate each hire over the past three years as of one year after their hire date. Write down the number that you believed were high performers, which in this case is defined as “are they performing at or above expectations when you hired them.” That number divided by the total hires is your baseline hiring success rate.
· Talent Projection
· This calculation may sound a little brutal but necessary to achieve 90% hiring success, where hiring success is defined as hiring “A-Players.” Talent projection will outline how many people you will have to hire and fire to achieve a 90% success rate given your current success rate.
§ “A-Players” are the top 10% of talent available for any job, at any given salary level.
· The ratio of the number of people you will need to hire to anyone when they leave will improve as your hiring success rate improves.
§ On average, you will need to hire about four individuals to replace one underperformer if your baseline hiring success rate is 25%. This ratio moves closer to 1:1 as you approach a 90% hiring success rate. Remember, the Topgrading method calibrates at 90% because the reality is that you will never reach a 100% baseline hiring success rate. If you do, we need to have a conversation!
· Cost of Mis-Hires
· You have to determine the parameters of a mis-hire within your organization. Are they an underperformer, do they not fit with your team's culture, or do they simply leave within two years? Determining the parameters of a mis-hire is crucial.
· Interestingly the cost of mis-hires includes costs to retain, as well as the cost of mistakes, disruption, morale, and opportunity costs for time spent coaching, etc.
· You can take advantage of the online calculator, https://topgrading.com/resources/mis-hire-calculator/, which requires providing your email address.
· Organizational Cost of Mis-Hires
· Assume you have 15 mis-hires in a given year, and you estimate the average cost of a mis-hire is $250,000. Replacing all 15 with “A-players” with 25% hiring success rate would involve three mis-hires for every good hire. You would have to hire 60 people, mis-hiring 45, to end up with 15 “A-Players.” The 45 mis-hires would each cost you $500,000, for a total of $11.25 million. Staggering!!!
· Notice that this does not include the cost of typical turnover. This only represents the mis-hires. As much as we will explain later in this chapter how good leadership drives retention, we recognize that you will never be able to retain everyone!
Step #2: Create a Clear Job Scorecard (Not a Vague Job Description)
Get rid of the traditional templated and ambiguous job descriptions. These traditional job descriptions do not set clear expectations to hiring managers about what they are hiring someone to do. In turn, this leads to confusion with candidates that leads to a “fake it ‘till you make it” attitude with the job resulting in costly mis-hires.
Instead, create a job scorecard that defines metrics for the hiring team and candidate metrics and sets what “A-Players” look like for the job. Most organizations write job descriptions such that “C-Players” can execute the items, almost like a checklist. These job scorecards layout precise expectations on how to perform the job, influence hiring decisions, steer the recruiting process, and allow you and the candidates to home-in on the most critical performance objectives before making a job offer. Solidify what the candidate will be accountable for in the first year, ensure the goals are measurable, and include the ratings to be achieved on each goal for the new hire to be considered a high performer. All scorecards should consist of:
· Job role mission and strategy
· Measurable job accountabilities
· Competencies linked to accountabilities
Additionally, ensure the following when developing the job scorecard:
· All stakeholders agree on how “A/B/C Players” will be objectively differentiated.
· The competencies spell out the fit for the specific job.
· Competencies are measurable.
A sample job scorecard for a cybersecurity engineer role is included at www.CISOEvolution.com.
Step #3: Recruit from Your Networks
Simply put, “A-Players” want to work with other “A-Players.” “B/C Players” want to work with other “B/C Players.” Reach out to your networks and take advantage of your current employees to find other “A-Players.” Also, reach out to your super-connectors (Chapter 9 – Relationship Management) if your employees or existing network cannot produce “A-Player” candidates. Your super-connectors know a ton of people (by their very nature), and given that the super-connector is already in your network, you presumably trust their judgment. Some Topgrading strategies include:
· Make recruiting through networks a job scorecard accountability for managers, but this may be a double-edged sword. Make sure that managers do not lower their hiring standards to meet this goal.
· Create a bonus or referral program.
· Encourage the use of professional social networks, like LinkedIn.
· Ask new hires to highlight “A-Players” in their networks. Doing so is relatively easy, because as you will find out in step #7, you already asked them for names of “A-Players” they inherited, hired, or developed.
· Don't hide behind email. Use personal communication methods to stay in touch with people. Pick up the phone and have a conversation (the horror)!
· Invest in your public-facing websites. Nothing says “It's boring as hell to work here” as a dull, early 2000s looking website.
Step #4: Screen Candidates
Resumes are often ambiguous and include a lot of inflated information. In many cultures, lying on resumes is even encouraged, so it is difficult to identify the “A-Players.” Using a career history form with the promise of a reference check pulls more truth out of candidates. As you will learn in step #10, the key is to communicate to candidates early and often that they will have to arrange reference check calls with former bosses. That's right. That puts a lot more of their skin in the game.
A career history form is part application form, part threat of reference check (TORC), but all, “Let's pull out all of the information that we wish candidates put on their resume, but don't.” The career history form should include items like reasons for leaving jobs, what they love and hate about their job, estimates on how their bosses (the same ones they are arranging reference check calls with) would rate them, and how they would rate themselves. The benefit is that non-“A-Players” quickly stop the application process once they realize they can't hide behind words on a resume. Even something as simple as forcing a candidate to reveal that they were “fired” and not “laid-off” can pay huge dividends down the road.
Furthermore, you can take the essential information from the career history forms and create dashboards or “snapshots” (as Topgrading calls it) to screen candidates quickly. Most applicant tracking systems (ATS) have similar capabilities, but some simple spreadsheet hacks can get you some similar results. Even if your ATS can weed out 90% of the applicants, that final 10% can still be significant, and streamlining the time and effort required to screen those applicants before getting deep into the interview process is an excellent investment.
An example career history form and example dashboard are located at www.CISOEvolution.com. You can use these to integrate with your ATS to allow applicants to apply with a click of a button using their LinkedIn profile to auto-populate fields in the career history form. The applicant will only have to complete missing information. The cybersecurity team likely does not have control over the ATS, but taking the initiative and working with your HR team streamlines the process for both you and the candidate. This integration can then also be leveraged for other teams, and thus, improving the hiring process as a whole.
Step #5: Conduct Telephone Screening Interviews
If you can recruit from your networks, then you may be able to skip this step and go straight to in-person interviews. Otherwise, utilize phone screens that incorporate the career history form to provide laser focus to the interview and help ensure that when you invest in the time and money to interview candidates in-person, you interview only the top candidates. After you have studied the career history form, the telephone screening interview should include:
· What will happen on the call, along with informing them that, before a final job offer, you will ask them to arrange personal reference calls with former bosses
· Describing the organization and the job role
· Allowing the candidate to ask any questions up front
· Evaluating the following for the previous two jobs:
· What they are most proud of
· Their biggest mistakes, the impact of those mistakes, and how they overcame them
· How their boss would rate their strengths, weaknesses, and performance
· What they loved/hated most about the job
· Reason for leaving
· Questions from the various job competencies you outlined on the job scorecard from step #2.
At this point, you should have enough knowledge about the candidates to invite only the candidates who are most likely to be “A-Players” for in-person interviews.
Step #6: Conduct Competency Interviews
This is the first step in conducting in-person interviews. Some methods may leave this step out and go straight to step #7, but I believe this is critical for crucial cybersecurity roles. This step allows the candidate to meet with more people they would be working with, and it allows for a deep dive to investigate how their skills line up to the job competencies. True, you can always teach hard skills, but the candidate has to hit the ground running in some roles.
For example, when I started working for eBay in the mid-2000s, I did not have any experience with Checkpoint firewalls and Provider-1, but managing those firewalls and overall network security were the crux of my job. What I did bring to the table were soft skills and a solid foundation in network security and with other specific firewall technologies. If my hiring manager and team were adamant about hiring someone with years of experience with Checkpoint, I would have never landed that job. I know for sure that I would not have some of the friendships I cherish to this day (thank you, eBay crew…you know who you are). It is certainly plausible that without their faith and support I might not have the experience and tenacity to co-author this book! Who knows?
It is important to continue to allow the candidate to ask questions in this step. Questions from the candidate, and the types of questions they ask, demonstrate that they are engaged and not merely looking for a paycheck. Allowing a candidate to ask questions and qualify the opportunity is just as important as your need to qualify their fit for the role.
Standardizing the competency interviews using interview guides allows you to compare apples-to-apples and provides top-cover should the question of “why did you hire candidate ‘X’ over candidate ‘Y’” ever arise. The following outlines areas you should consider when creating the competency interview guides:
· Pick five or six key competencies to focus on.
· Create four to six questions for each competency.
· Half of them should focus on when the candidate showed the competency, and the other half should focus on when the candidate did not show them, yet should have.
· Have each interviewer focus on one culture-fit type of question.
· For example, if a competency requires working with a global team, one interviewer can focus on frequency and types of communications, and another can focus on patience and flexibility.
· Choose the competency interviewers.
· Ideally, the competency viewers should be a 360-degree perspective of the hiring manager's peers, the candidate's peers, and subordinates (if any).
§ Note: the hiring manager will interview the candidate in the next step.
An example of a competency interview guide for a cybersecurity engineer role can be found at www.CISOEvolution.com.
Step #7: Conduct Tandem Interviews
This step is likely the most critical step of the Topgrading interview process. If the competency interview is a script-kiddie attacker, then the tandem interviews are an advanced nation-state attacker. The sophistication and depth of the former cannot be compared with that of the latter.
The tandem interview is an interview that begins with the candidate's experience in college (if applicable) and then progresses through a series of questions about every job along the candidate's career timeline (the tandem interview guide). The tandem interview also includes questions about the candidate's career plan and goals, intrinsic and extrinsic motivations, and self-assessment. These interviews should put the candidate “on-the-spot.” Anything highlighted in their resume, career history form, or during the competency interview is fair game. The tandem interview should dig into all accomplishments, failures, critical decisions, and essential relationships (particularly the relationships with the prior bosses that the candidate will arrange the personal references checks with).
As the name implies, the tandem interview involves using two interviewers (one being the hiring manager) and is most effectively learned in two phases. For our purposes, we will focus on the first phase, which is the starter phase. The second phase is much more in-depth. I encourage you to read more about it in Chapter 2 of Topgrading: The Proven Hiring and Promoting Method That Turbocharges Company Performance.
· Ask someone you trust, whether it be a peer or someone above you, to be your tandem interviewer.
· Both interviewers should ask all of the questions in the tandem interview guide, ask follow-up questions, and take copious notes.
· Ask the candidates to arrange the personal reference calls with former bosses that they chose and other references that you selected (you have already primed them to do this in step #4).
· Make the reference calls.
· We will discuss this more in step #10, but you and your tandem interview partner can split these.
· Decide upon next steps (job offer, pass the candidate to another role in the organization for which they would be a better fit, or pass completely).
The tandem interview can be a long process, ranging from one-to-four-hours long, but it allows a hiring manager to genuinely get to know a candidate and identify if the candidate is an “A-Player.” The payoff is worth it. Think of all the hours (and money) wasted with mis-hiring that we discussed in step #1.
Step #8: Interviewers Give Each Other Feedback
Another crucial benefit of the tandem interview process is that it allows interviewers to provide immediate feedback to each other. Frankly, many of the personalities that we come across in cybersecurity do not engender good interviewing techniques. Providing each other with constructive feedback will greatly improve each other's interviewing techniques.
For example, one interviewer might ask questions that do not adequately probe the candidate, or one interviewer may be so busy taking notes that they seem disinterested and callous.
Step #9: Write an Executive Summary
Skipping this step seems easy, but I encourage you not to. Leverage all of your notes from all of the interviews to create an executive summary of the candidates that will allow you to compare candidates and facilitate your hiring decision vs. using “gut feeling.” You may be asking yourself, “Why not just compare notes?” The answer is twofold. First, it forces you to analyze all the data you now have on the candidate and identify noteworthy patterns and trends about the candidate throughout their career. Secondly, it allows you to prepare for the reference calls in step #10.
An example of an executive summary for the cybersecurity engineer role can be found at www.CISOEvolution.com.
Step #10: Conduct Candidate-Arranged Reference Calls
Now it is time to come through on your promise of conducting a reference check. Remember, the candidate is the one who is responsible for setting up reference check calls. Put the onus on them as they (presumably) have direct contact with their previous employers to help eliminate phone tag and the time it takes for you to conduct the reference check. “A-Players” should be eager to do this as “A-Players” do not typically leave companies on bad terms.
Provide the candidate with the list of people you selected. You should plan to hear back from the candidate within 48 hours with their reference's availability and mobile number. After four or five days, if the candidate cannot arrange for you to talk with the people you requested, consider that the reason may be that the candidate decided to “call your bluff” and now realized that you are not bluffing.
Take these reference checks seriously. Prepare your questions carefully based on the information you learned from developing the executive summary in step #9. Are there any specifics that jump out that you want to probe about during the reference check?
Step #11: Coach Your Newly Hired “A-Player”
Congratulations! You have made a hiring decision, and the candidate is no longer a candidate. They are an employee! Start coaching immediately. Let the new employee know how they can improve (based on your interactions with them) and areas you feel they excel in that pushed them over the top in your hiring decision. Even the most astounding “A-Players” can get frustrated and leave when they are left to fend for themselves in their early days and months at the company. Also, imagine all the lost productivity by allowing the new hire to flounder!
Review your executive summary with the employee and have them append an Individual Development Plan (IDP) that they create for themselves. Then, you and the employee can sit down, review, and discuss together. Be sure their IDP includes SMART goals and what, why, when, and how they will be measured. When you and the employee settle on the IDP, be sure to inject at least quarterly, informal reviews to review progress and solicit employee feedback.
Step #12: Annually Measure Success
Finally, it is time to reassess your hiring success. Close the Topgrading hiring feedback loop and continually measure your success (at least annually) in hiring “A-Players.” Conduct the talent projection and cost of mis-hires calculations from step #1 and check for improvements in hiring success percentages. Annually evaluating your hiring success provides accountability for the quality of hires, highlights success pre-Topgrading and post-Topgrading, and promotes the continued use of Topgrading. Topgrading recruiting and hiring practices are a lot of work, but the investment pays off, and you tangibly demonstrate it by continuous measurement.
Leadership
Companies require business leadership from their CISOs now more than ever. That means possessing the skills and knowledge to participate in strategic conversations, such as new product or service development, digital transformation, and merger and acquisition diligence. Of course, participating in strategy doesn't alleviate the CISO's need to execute operationally.
To succeed in today's global economy, CISOs must influence business leaders up and across the entire organization to implement security controls, while leading their teams to execute on tactical objectives that meet strategic goals. They must secure commitments to continuously evaluate and respond to evolving risks while keeping their teams motivated and engaged to maintain high performance. Doing so requires leadership. As cybersecurity leaders, we will always be expected to retain some technical competence such as a fundamental knowledge of network security, endpoint security, and incident response. However, our greatest calling is to serve as choice architects that skillfully guide our organizations through enterprise risk management.
In the Leadership section of this chapter, I will introduce emotional intelligence, and then examine four leadership methodologies (transformational, authentic, servant, and adaptive) to indicate when each may apply. As you read further, consider how you fall into one of these leadership styles. Perhaps you exhibit multiple leadership styles. This awareness will help you honor yourself as an individual and release your greatest leadership potential.
Emotional Intelligence
Emotional Intelligence (EQ) is a concept that has been around for over 50 years. Daniel Goleman popularized the concept in 1995 and defined it as the array of skills and characteristics that drive leadership performance.6 EQ is the capability of individuals to recognize their own emotions and those of others, discern between different feelings, label them appropriately, use emotional information to guide thinking and behavior, and adjust emotions to adapt to environments.7
Yes, EQ deals with feelings and all of the soft, squishy topics many cybersecurity professionals avoid. Firewalls, network packets, SIEM alerts, and the latest artificial intelligence silver bullets do not have feelings. However, people do. Leading and influencing people requires you to be emotionally aware of yourself and others. EQ is the foundation upon which we build trusted relationships, forge partnerships, and engage in genuine conversations. Efforts to align employees, peers, and the C-Suite in cybersecurity strategy require us to leverage these relationships. And we have to go further; we must courageously engage in honest and forthright dialogue while putting risks into perspective. We need to inspire with compelling stories, and sometimes it's best to allow our audiences to reach their own conclusions. By doing so, people engage, allowing you to ultimately add meaning to your relationships. Whether speaking to the board to secure a budget or coaching an employee through a rough patch, EQ allows you to tailor the perfect message for a given scenario.
Goleman breaks down EQ into five domains:
· Knowing One's Emotions: This deals with self-awareness. How can you navigate others' emotions if you cannot navigate your own? People who have a better handle on their feelings are more confident about decisions they make and how to lead people to achieve that goal.
· Managing Emotions: Builds on self-awareness by appropriately handling feelings. Has your boss ever made you want to rage-quit? Don't lie to yourself. The answer is “yes” even with the best of bosses. The ability to “shake it off” allows you to plow through setbacks.
· Motivating Oneself: Appropriately suppressing your feelings in the pursuit of a goal is critical for self-motivation. The ability to “go with the flow” and have emotional self-control tends to lead to greater productivity.
· Recognizing Emotions in Others: This is empathy. Empathy is the ability to understand other people's emotional composition and treat people according to their emotional reactions. People frequently confuse empathy with compassion, but empathy can also be used to foster negative behavior, such as manipulation.
· Handling Relationships: Managing relationships and building your networks requires finding common ground to build rapport. Building rapport builds trust, and trust allows your audience to be more receptive to your “storytelling.”
Don't fret. It is possible to improve your EQ. A study conducted by Harvard Business Review Analytic Services concludes that organizations that highlight EQ have higher employee engagement and customer loyalty.8 The study found that the most effective form of EQ development starts with conversation and interaction intended to increase self-awareness. Self-exploration and in-depth discussions lead to greater levels of self-awareness, empathy, and the ability to understand others' viewpoints. This in turn leads to better relationships.
Here are some steps you can take to improve EQ. I encourage you to focus on yourself first and then extend this activity to your teams:
· Identify and name your emotions: Dig deep and ask yourself what you are feeling. Are you happy and excited about an opportunity? Are you angry and upset with a co-worker? Why? You become more mindful of how you speak to yourself and others as you become more cognizant of your emotions. Have you ever beat yourself up over something that happened at the office? Have you ever wished you could take back a heated conversation with a co-worker? Of course, you have.
· Pay attention to how you talk to yourself and how you talk to others: Focus on strengthening your communication skills. People with high EQ tend to invest in more specific language to identify shortfalls, and then they immediately strive to tackle those shortfalls. Are you having a hard time getting a particular business unit to buy into approved security controls? Why? What can you do to communicate the benefits of the security control better? Don't dwell on the problem. Pinpoint the barrier and knock it out of the way!
· Ask for feedback: I understand this may be awkward, but ask managers, colleagues, friends, or family how they would rate your EQ. How do you handle difficult situations? Do you remain calm, or do you let your stress show? How flexible are you to change? How empathetic are you? How do you deal with conflict? It may not always be what you want to hear, but it will often be what you need to hear. Extend the same, sometimes harsh, courtesy and honesty, to those who ask you for feedback.
· Learn from prior experience: How have you successfully navigated similar feelings in the past? Learn from that experience and reuse it. Much like incident response, make sure you close the feedback loop to be better prepared to deal with similar situations in the future.
· Practice empathy: Pick up on verbal and nonverbal cues to gain insight into your colleagues' feelings. Refer to our review of Crucial Conversations in Chapter 8 – Communication – You Do It Every Day (or Do You?), where we covered the skills of Learn to Look and Make it Safe. Practice “putting yourself in their shoes,” to understand both content and feelings.
· Know what triggers you and others you influence: What stresses you out? Do what you can to avoid the stress while acknowledging that stress is inevitable. Sleep is an excellent stress reliever. Conversely, lack of sleep can elevate your emotional volatility. If you don't like horror movies, don't watch one immediately before bedtime. Emails are the equivalent of horror movies for me. I try to avoid them at all costs just before bedtime; otherwise, I will toil with mental gymnastics all night long.
· Be resilient: Suck it up, buttercup. Stuff happens. Everyone encounters challenges. Just like Rocky Balboa said, “It ain't about how hard you hit. It's about how hard you can get hit and keep moving forward; how much you can take and keep moving forward. That's how winning is done!” Positive thinking and continuous improvement will take you far. Consider what you can learn, what will make you better, and how you can be more resilient in the future.
· Celebrate successes: Building your own EQ is one challenge but convincing a team to do it is an entirely different challenge. You have to set the standard. Define how people disagree with each other. Mandate that disagreement be cordial and constructive. Also, recognize and celebrate those who demonstrate EQ. Reward not only your high-performers but also those who help the high-performers be high-performers.
Transformational Leadership
Transformational leadership is a relatively new approach to leadership where a leader inspires others to rise above their self-interests to benefit the entire organization. Imagine Mr. Spock when he proclaims, “Logic clearly dictates that the needs of the many outweigh the needs of the few,” with Captain Kirk replying, “Or the one.” Transformational leaders encourage and inspire employees to innovate and create change that will help grow and shape the organization's future success. This leadership style enhances employee motivation, morale, and job performance through various methods such as connecting employees' sense of self and identity to a project and fostering a collective identity to the organization. Cybersecurity leaders of today need to be mentors and lead by example. They must encourage innovation that aligns with the organization's values and strategic objectives and recognize individuals for their contributions and for going above and beyond what is expected of them.
Transformational leadership contrasts with transactional leadership styles that focus on a carrot and stick to get teams to do what they want. I don't call this leadership at all. I call it bad management. According to James M. Burns, whom many consider to be the father of transformational leadership, transformational leadership aims to create a significant positive change in people. It changes the perceptions, values, expectations, and aspirations of employees. Transformational leadership is not based on a carrot and stick, give and take relationship, like transactional leadership. Instead, transformational leadership is based on the leader's charisma, traits, and ability to set an example that others can follow. Transformational leaders strive to paint a vision of the future to inspire people to drive progress and accomplish goals. Transactional leaders lean toward maintaining the status quo and attempting to get results from their teams through strictly their authority.9
In 1985, scholar Bernard M. Bass identified four basic elements for transformational leadership that are crucial if a leader needs to encourage and inspire others. These elements create an open, forthcoming, and diverse culture that empowers individuals by enabling them to share ideas freely. The four elements are often referred to as the “Four I's”:10
· Idealized influence: Refers to the way a leader exerts influence on others. Teams tend to highly respect these leaders because they set an example, and they consistently demonstrate that they prioritize the needs of their team above their own. Individuals tend to follow this leader because they are relatable.
· Inspirational motivation: Fundamentally, leaders must inspire their teams to achieve. This leader sets high yet attainable goals, and they inspire commitment by creating a shared vision for the team or organization and articulating their expectations clearly. Inspirational motivation leverages both extrinsic and intrinsic factors and requires a high level of charisma. Charisma inspires a sense of authority and could be considered both inspirational and visionary by the team.
· Intellectual stimulation: Refers to creating a diverse and open environment that encourages individuals to think for themselves and safely express their ideas. These leaders tend to promote the concept of “fail fast, fail often,” as often associated with agile methodologies because doing so fosters growth and improvement.
· Individualized consideration: Refers to establishing a strong relationship with the team and acting as a caring, supportive resource. These leaders mentor their team and allocate their time to developing individual and team potential.
Much like EQ, there are things you can do to strive towards becoming a transformational leader. Transformational leadership may align better with those who have charismatic personalities, but here are some things Bass identifies that will allow you to move the needle.
· Create an inspiring vision of the future.
· If you want to lead, not merely manage, your team, you need to create and clearly communicate an inspiring vision of what the team should strive toward.
· The vision establishes your team's purpose. The vision needs to consider:
§ The values of the people on your team
§ The capabilities and resources of your organization
§ The context of your organization
§ How you plan to move forward, given those considerations
· Start with your organization's mission and align your vision so that your team can drive toward it.
· Get people buy-in and deliver the vision.
· As alluded to above, you need to appeal to your people's values and motivate them with where you are going to lead them, and clearly communicate why.
· Consider building a story around your vision to help your team appreciate and emotionally feel the positive direction of your vision and how it will help the team and the organization.
§ It is all the better if you can pull from your personal life experiences.
· Link your vision to individual and team goals so that people see how they specifically support the vision.
· Communicate every significant business decision in terms of your vision.
· Manage delivery of the vision.
· Now it is time to make your vision a reality, which will likely involve hard and tedious work.
· You will need to combine practical project management with organizational change management.
§ Chris Laping's book People Before Things is an excellent book to read more on this topic.
· Ensure that everyone understands what part of the vision they are responsible for.
§ Establish SMART goals.
§ Identify some quick wins that can start achieving momentum toward your vision.
· Be visible and present.
§ Do not hide in your office or cubicle all day.
§ Walk around and check in with your team regularly.
§ Always practice what you preach.
· Build ever-stronger, trust-based relationships.
· Focus on providing your people with the tools and resources they need to achieve their goals.
· Leadership is a long-term play, so relationship building, earning trust, and helping your people grow is a continuous process.
· Have regular one-on-one meetings with your people to stay in touch with how you can continue to help them achieve their goals.
§ Dictate a frequency that is practical for the size of team you have.
· Be open, honest, and transparent and demonstrate some vulnerability, albeit safely, through sharing personal stories and anecdotes.
· Coach and mentor your people.
Servant Leadership
Servant leadership is often related to transformational leadership. Robert K. Greenleaf was one of the first to write about servant leadership. He defines the classical definition as “[Servant leadership] begins with the natural feeling that one wants to serve, to serve first. Then conscious choice brings one to aspire to lead…The difference manifests itself in the care taken by the servant – first to make sure that other people's highest priority needs are being served. The best test … is: do those served grow as persons; do they, while being served, become healthier, wiser, freer, more autonomous, more likely themselves to become servants? And, what is the effect on the least privileged in society; will they benefit, or, at least, will they not be further deprived?”11
I prefer the definition that Mark Schlereth, former Denver Broncos offensive lineman, articulated on the radio during one of my morning drives to work where he stated, “True leadership is when you care about what happens to others more than caring about what happens to you.”
The primary difference between transformational leadership and servant leadership is the focus of the leader. The transformational leader directs their focus toward the organization, and his or her behavior builds follower commitment toward organizational objectives, while the servant leader's focus is on the followers. The achievement of organizational objectives is a secondary outcome. The extent to which the leader can shift the primary focus of leadership from the organization to the follower is the distinguishing factor in which of these two leadership types the person is executing.12
However, being a transformational leader or a servant leader is not a “one or the other” decision. Servant leadership aligns with developing individual team members, encouraging innovation within the team's context, and mentoring a team to exhibit empathy with business units who are just trying to get their job done, which in turn motivates the business units to adopt adequate security controls. Transformational leadership aligns with motivating a team when there are significant external pressures, such as after an acquisition, a significant decline in economic outlook, or booming growth. Transformational leaders encourage intellectual risk, innovation, and creativity to effectively develop team members to be successful within the current, stressful context of the organization. You should evaluate which leadership style aligns the current business environment with your team's needs and your individual skill set.
There are 10 characteristics of a servant leader that you can work on with countless resources available to delve into each one.13 You will notice that many of these characteristics are similar to those found in transformational leadership. Commit to incremental improvements in an area or two every day.
· Listening: Communication between leaders and their team is an interactive process that includes sending and receiving messages (e.g., verbal, written, body language). Servant leaders listen first and speak second. To listen, you must be receptive to what others have to say. Through listening, servant leaders acknowledge the viewpoint and perspective of the other person.
· Empathy: As mentioned previously, when reviewing EQ, empathy is the ability to understand the emotional composition of other people and to treat people according to their emotional reactions. In other words, you put yourself “in their shoes” to try and understand the other person's point of view. Empathetic servant leaders confirm and validate what the other individual is thinking and feeling, making the other person feel empowered and heard.
· Healing: Servant leaders care about the personal well-being of individuals on their team and demonstrate it by helping them overcome personal and professional problems.
· Awareness: Servant leaders understand themselves and the impact they have on others. With awareness, servant leaders can step back, disconnect, and view themselves within the context of the greater picture.
· Persuasion: Persuasion is clear and persistent communication that convinces others to see your perspective and change. As opposed to coercion, which utilizes the authority granted by position and title to force change, persuasion creates change through gentle, nonjudgmental argument.
· Conceptualization: Conceptualization is the ability to be a visionary for your team by providing a clear sense of its goals and direction. Conceptualization goes beyond day-to-day operations and focuses on the greater picture and long-term strategy.
· Foresight: Foresight is a servant leader's ability to connect dots and predict the future. This ability does not mean that they are psychic. It means that the servant leader can predict what will happen based on what is currently happening or what has happened in the past.
· Stewardship: Stewardship is about taking responsibility for the leadership role entrusted to you. Servant leaders accept the responsibility to lead, manage, mentor, and motivate their team.
· Commitment to the growth of people: Servant leaders focus on intrinsic motivations for each individual that go beyond “what's in it for me?” Servant leaders are committed to helping each individual in their team grow personally and professionally. Some ways to help enable growth are providing career development opportunities, assisting individuals in developing new work skills through formal or on-the-job training, or empowering them by listening to their ideas and involving them in decisions.
· Building community: Servant leadership fosters the development of community. A community is a collection of individuals who have shared interests, relate to each other, and feel a sense of unity, which allows them to identify with the greater good of the organization.
Adaptive Leadership
Working in cybersecurity means living and breathing tough challenges and change. Attackers are seemingly always one step ahead of defenders, so adapting and dealing with difficult situations is critical. A common definition of adaptive leadership is “the practice of mobilizing people to tackle tough challenges and thrive.”14 Adaptive leadership often focuses on change, but it can be applied to many challenges, including managing conflict across different business units, acquiring and integrating another company, or being acquired (Table 10.1 highlights how adaptive leadership may be applied to these challenges). The key differentiator with adaptive leadership is that this leadership style focuses less on the leaders themselves and more on their behaviors and activities in relation to their teams and business context. Adaptive leadership is just that, adaptive, and it is mainly about enabling your teams to adapt and overcome challenges no matter the circumstances. Adaptive leaders engage in the following five activities:15
· Mobilize: Engaging in activities that move your team to move toward needed change
· Motivate: Coaching your team in the ideals they need to feel like they can change
· Organize: Identifying the opportunity for change and determining what to provide to the team to ensure the team succeeds
· Orient: Helping teams to recognize the starting line, the finish line, and how to get from “A” to “B”
· Focus the attention of others: Clearly explaining the goal and how the change will help them, individually
TABLE 10.1 Adaptive Leadership Examples
|
Situation |
Example |
|
Managing conflict across different business units |
Bringing together people affected by conflict to be part of the solution and creating a process where everyone can be part of the solution (reference the story of the development manager from Chapter 8) |
|
Acquiring and integrating companies |
You are working for a large telecommunications company, and your company acquires a smaller competitor. Tensions between you and your competitor ran high before the acquisition, and now you must help integrate employees and systems to ensure the synergies promised by the acquisition are realized. |
|
Being acquired |
Similar to above, but as the acquired company, you must clearly articulate and convince your team that the acquisition is best for the company and that a successful integration is beneficial to them professionally and personally. |
Adaptive leadership requires that leaders handle three types of situational challenges. Identifying these situational challenges allows us to put into better context the six key leadership behaviors that follow. The three types of situational challenges are:
· Technical challenges: Problems that are clearly defined (e.g., implementing a firewall rule)
· Technical and adaptive challenges: Challenges that are clearly defined where there is no clear solution (e.g., integrating two identity and access management programs)
· Adaptive challenges: Challenges that are not easily identified (e.g., situations with many variables, such as integrating two companies)
Six leader behaviors exemplify adaptive leadership. Think of these behaviors as individual elements of a concoction, such as your favorite cocktail or a magic potion from Hogwarts given to leaders allowing them to help their teams tackle difficult challenges and the inescapable resulting changes. Much like ingredients in your favorite cocktail, there is a general order to the mixing of behaviors in the adaptive leadership process. Many of these behaviors overlap with each other and should be demonstrated by leaders at the same time. These leader behaviors suggest a kind of recipe for being an adaptive leader.16
· Get on the balcony: This is like a prerequisite to the aforementioned potions course. It requires an adaptive leader to step out and find perspective in the middle of a challenging situation, which allows them to see the bigger picture and what is really happening.
· Identify adaptive challenges: Identify and diagnose the situational challenge correctly.
· Regulate distress: Distress during change is inevitable and even beneficial, but too much distress can bring individuals and teams to their knees. Adaptive leaders need to help others recognize the need for change but not become overwhelmed by the need for the change itself.
· Maintain disciplined attention: Get people to focus on the tough work they need to do.
· Give the work back to the people: Adaptive leaders provide enough direction to allow their teams to perform and troubleshoot work themselves. Think of the proverbial, “Give a man a fish, and you feed him for a day; teach a man to fish, and you feed him for a lifetime.”
· Protect leadership voices from below: Adaptive leaders listen and are receptive to ideas from everyone on the team, no matter how junior, outlandish, or marginalized the individual is.
Application
This is a challenging Application section for me to write because one leadership trait alluded to but not deeply discussed in the various leadership styles outlined in this chapter is humility. You see, I have a fundamental belief that if you need to go around saying “I'm a leader,” then you are very likely not a leader. Think about that for a second in the context of the leadership styles highlighted in this chapter, and you will understand why I cringe at writing this section.
I managed a rather large security and network operations center (SNOC), and I ran into many of the challenges highlighted in this chapter almost daily. Hiring and retaining “A-Players” was critical to our mission, yet it was absolutely, without a doubt, the most challenging part of the job. A requirement for working in our SNOC was a secret-level government clearance and an additional “entry on duty” (EOD) by the agency we were supporting. While someone leaving the organization typically provided two weeks of notice, the hiring process to replace them, end-to-end, took at least six months if the candidate did not have an active clearance. Finding candidates with an active clearance made matters that much more difficult, so we had to keep our options open. We did not implement a Topgrading strategy because we were already losing candidates to the hiring process bureaucracy. We were having problems keeping the talent pipeline full due to the high demand for cybersecurity talent. Many “A-Player” cybersecurity analysts and engineers found other opportunities and fell out of the hiring process during that six-month (often longer) timeframe. Frankly, we struggled as a result sometimes, but we still persevered and performed at a high level because of the handful of “A-Players” that we did have. The “A-Players” were patient and worked with the non-“A-Players.” That solid foundation elevated the performance of the entire team.
During my tenure, the client announced they would move the SNOC out of state before the end of the contract. The announcement led to a lot of distress, and it was my role as a leader to navigate this team through the transition. Most of the team members did not want to, or could not, relocate; however, we had to maintain operations through the transition. My role was to first deliver on the organization's mission, but priority 1A was to the individuals on my team. I was baptized by fire in servant leadership.
To be successful, I had to be adept at many of the traits of servant leadership. I had to listen to the concerns of the individuals regarding the uncertainty of their futures. I had to show empathy as every single individual of my 35-person team faced a unique challenge. I had to show healing in helping them tackle their unique challenges. There were many difficult conversations, and while my advice was always, “You have to consider what is best for you and your family,” when pressed, sometimes my advice was, “You should be proactive and look for another opportunity if you don't want to relocate.” I also had to temper this advice with the persuasion of having the individual stay long enough to ensure a successful transition. I had to convince people who did not want to relocate that if they wanted our SOC to win more work, we could not be known as the SOC that failed to meet its responsibilities. I also had to do all of this while continuing the commitment to the growth of people and maintaining our community. I did this knowing in the back of my mind that I would not take an offer to relocate and that I would be likely leaving the organization when the right opportunity presented itself.
The right opportunity did present itself, and I left the organization, but I left the SOC in good hands as I was able to coach and mentor my deputy so that he could seamlessly take over if I did leave or get hit by a bus (you will always be my #2). In the end, there was a successful and smooth transition, along with the SOC winning more work in the process, so while there was a reduction in staff through attrition, there were no mandatory reductions in force.
Key Insights
· Topgrading: Recruiting and retaining high-performing teams is a challenge for any cybersecurity leader. Calculate your hiring success rate and your cost of mis-hires. The cost will astound you. Consider using the Topgrading method to attract and select “A-players” to your team and watch your hiring success rate soar, and your cost of mis-hires plummet.
· Emotional Intelligence: A high EQ improves communication, conflict resolution, and relationship. EQ also helps to build resiliency when faced with tough challenges.
· Leadership Types: There are many leadership types. We evaluated transformational, servant, and adaptive leadership in this chapter, but there are many more. It is important to be authentic with any leadership type you choose to exhibit. Additionally, you may choose to apply a different leadership type depending on the type of challenge or situation you are facing.
Notes
1. 1 Agovino, T., “To Have and to Hold,” Society for Human Resource Management, 2019. Accessed February 13, 2021. https://www.shrm.org/hr-today/news/all-things-work/pages/to-have-and-to-hold.aspx.
2. 2 Boss. J., “Leaders Only Need to Do This to Retain Top Talent,” Entrepreneur.com, 2018. Accessed February 13, 2021. https://www.entrepreneur.com/article/318102.
3. 3 Kahneman, D., Sibony, O., and Sunstein C.R., Noise: A Flaw in Human Judgement, Little, Brown Spark, 2021.
4. 4 Smart, B.D.P., Topgrading: The Proven Hiring and Promoting Method That Turbocharges Company Performance, 3rd ed., Penguin Group (USA) Inc., 2012.
5. 5 Lorence, M.S., The Impact of Systematically Hiring Top Talent: A Study of Topgrading as a Rigorous Employee Selection Bundle, 2014. https://scholarworks.gsu.edu/bus_admin_diss/38/
6. 6 Goleman, D., Emotional Intelligence: Why It Can Matter More than IQ, 25th anniv., Bantam Books, 1995.
7. 7 Coleman, A., A Dictionary of Psychology, 3rd ed., Oxford University Press, 2008.
8. 8 Harvard Business Review Analytic Services, The EI Advantage: Driving Innovation and Business Success through the Power of Emotional Intelligence. Harvard Business Review, 2019. https://hbr.org/resources/pdfs/comm/fourseasons/TheEIAdvantage.pdf.
9. 9 Burns, J.M., Leadership, Harper & Row, 1978.
10. 10 Bass, B.M., Leadership and Performance Beyond Expectations, New York Free Press, 1985.
11. 11 Greenleaf, R.K., The Servant as Leader, Greenleaf Center for Servant Leadership, 1970.
12. 12 Gregory Stone, A., Russell, R.F., Patterson, K., “Transformational versus Servant Leadership: A Difference in Leader Focus,” Leadership & Organization Development Journal, 25(4) (2004): 349–361. doi:10.1108/01437730410538671.
13. 13 Heifetz, R., Frasho, A., and Linsky, M., The Practice of Adaptive Leadership: Tools and Tactics for Changing Your Organization and the World, Cambridge Leadership Associates, 2009.
14. 14 Northouse, P.G., Leadership: Theory and Practice, 8th ed., Sage Publications, Inc., 2019.
15. 15 Heifetz, R., Frasho, A., and Linsky, M., The Practice of Adaptive Leadership: Tools and Tactics for Changing Your Organization and the World.
16. 16 Heifetz, R., Frasho, A., and Linsky, M., The Practice of Adaptive Leadership: Tools and Tactics for Changing Your Organization and the World.