Leaning on Subject Matter Experts (When You Know Stuff Too)

This article is a guest post from Kallie Smith.

The most effective leaders I’ve met have one fundamental commonality that defines their success; they prioritize surrounding themselves with individuals who are smarter than they are. This is true in all industries, but perhaps none more so than Information Security.  Because InfoSec sprawls across every crevice of business, intersects with privacy, and well into our homes. Security leaders must recognize and lean on the expertise of others across all industry areas and know how to bring those subject matter experts together in a meaningful way.

Fostering a Community of Security Experts

As security leaders, we often face challenging goals, impossible timelines, and a very limited budget. The result? We want the most experienced individuals possible to fill the limited seats we have available with expertise across a wide variety of subject areas. In reality, though, no matter how seasoned or experienced your security staff may be, it’s important to remember that the security team is not on deck to solve all of the problems but rather to act as coordinators in ensuring the problems are being solved.

One of the most common phrases my staff hears from me is, “my goal is to do fewer things.” Meaning – there are too many areas and tasks for me to be able to handle myself. Thus, I work smarter and not harder by creating processes and automation that empower those subject matter experts from IT to HR to the Business to act as a wide-ranging net of security advocates within their own roles and responsibilities. I don’t need to take the reins with system designs myself, but I can assist with threat modeling. If I’ve provided effective guidance to the engineering team, they will be set up for success with secure architecture best practices to develop those designs themselves. This means I get to do fewer things – I am now acting as the reviewer who can evaluate proposed architecture and find areas for improvement rather than coming up with the answers to everything myself.

When we approach the security program as a program, the vision of this being an organizational journey starts to come into focus. A single individual or small security team cannot possibly make all the “things” happen, but they can empower others and act as a guide and resource to foster security by design principles and best practices.

Bringing the Right Players onto the Field

We’ve all seen leaders (or been guilty of this ourselves) make the mistake of bringing varied and indiscriminatory groups of individuals to the table for conversations and "solutioning" sessions. For the unseasoned leader – this may foster a false sense of superiority or even frustration when they appear to be the only one coming to the conversation with the intent or ability to solution that particular problem. This can result in poor relationships with peers and subordinates as conversations can become tethered and dissuade from the larger picture and objective. Additionally, individual contributors may internalize frustrations of being on an incessant number of meetings that eat up time and ultimately are discouraging as they are unable to contribute in a meaningful way.

Information Security, especially the Governance, Risk, and Compliance (GRC) side, is all about compartmentalizing controls and requirements. InfoSec frameworks use “families” to segment out control groups allowing security experts to prioritize but also determine what resources may be the most appropriate control owners for a particular subject area. Using those skills to identify and narrow down the right group of stakeholders for a particular discussion can be incredibly empowering as a leader and provides the greatest chance that your endeavors will be successful. This doesn’t mean, of course, that staff across the organization may not have great ideas and be able to contribute in areas you may not have considered previously, but rather that you are mindful of time and resource management.

Managing Expectations of Those you Lead

People often think they want a boss who knows as much, if not more, than they do. Someone to set clear and concise expectations and have all the answers. Of course, we all want to work for knowledgeable individuals and feel confident we understand objectives and can align with their vision and expectations.

But at the core, most are looking for a leader who recognizes what they bring to the table. Information Technology is a complex web of unknowns and tripwires. So, we don’t live in a world of clear and concise answers and guidance. Empowering staff across the organization by instilling confidence and trust in their judgment and recommendations is the key to not only successfully building a security program but having that program embraced and adopted by those you lead.

Just as important as empowering staff to contribute? Being a forgiving leader who celebrates the failed experiments as much as the wins! This is such a difficult mindset to embrace and requires a constant massaging of behaviors and recognition of outside factors. But if you work at it, you’ll find that the rewards of being a forgiving and encouraging leader when things aren’t going as planned are far greater than when everything aligns perfectly…. because that usually means something is rotten under the surface!

You’re not an Imposter – You’re a Leader.

So many of us aspire to leadership positions, whether for prestige, money, validation, or genuinely because we believe we will be of benefit in that role. Whatever the motivation or satisfaction you initially get from the job – you have to remember that while you’re the leader, you’re not the driver. You’re more like the driving instructor or, rather, you’re the owner of the driving school. You’ve proven your ability to get to where you are; it’s now up to you to foster that in others. So often, I see individuals in leadership roles that constantly feel the need to say things like “in my 30 years’ experience” or “I’ve been in this business a long time, I know what I’m doing.” In the words of Tywin Lannister, “Any man who must say ‘I am the king’ is no true king. It’s easy for us to get swept away by feelings of imposter syndrome, but the best thing we can do is be clear about what we know and what we don’t. After all, the ability to embrace humility and lean on the counsel of others is exactly what you were hired to do. You have a vision and set the destination for those you lead, but trusting others to choose the right path to reach that destination makes you a leader and not just a “boss.”

When stepping into my first true leadership position, a mentor of mine gave me some great insight that was a crucial component of my approach to handling a strategic position. He said, “The important thing for you to remember is that your job is going to be completely different now. It’s not up to you to be the doer – it’s now up to you to be a leader. So, you have to find a way to reconcile that need to just ‘get things done’ that you have always had and start helping others figure out how they can become what you were before this role.” I hadn’t thought about this being a whole new position before that moment. Up until that conversation, I saw my role as being the one “with all the answers and knowledge,” someone that my team would be leaning on for the right path forward. I won’t pretend I was great at embracing this mentality from the start, and I certainly look back, even recently, and recognize this is a concept I still struggle with. Nonetheless, leaning back on this amazing wisdom helps remind me of the path I am on to be a truly good leader. Because getting into a leadership position doesn’t mean your journey has ended. On the contrary, you’ve basically just started a new path filled with challenges and twists and turns that you will stumble through for the rest of your days. Your new goal is to be a better leader than you were the day before.

Steps to embracing the "leader" mentality:

1. Stop volunteering yourself to take on the work. When managing a project, initiative, or goal - look at the resources available and be confident in asking for volunteers or identifying appropriate resources that should take on each objective.
2. Present the problem and not the solution. Often we take on the role of problem-solving even before we get in a room with our stakeholders. This can cripple staff from feeling their ideas are valued and may pigeon hold you to a solution that is less effective than one you didn't come up with.
3. Be reasonable about timelines and expectations. Every stakeholder you rely on is dealing with competing priorities and initiatives. Being flexible with your expectations and checking in on progress will likely drive stakeholders to bring your needs to the top of their list without asking.

Walking the Line – When you are the SME

Sometimes you really do know the best course of action and can see it when others cannot. So how do we, as leaders, ensure the best decisions are being made while still fostering that sense of empowerment across the subject matter experts we rely on?

1. Listen – really listen to those around you to ensure you are getting all of the necessary information to lead to a conclusion.
2. Ask questions that narrow down the options and path ahead for those you are leading.
3. Recognize contributors by name and be specific about what you pulled from their input.

Conclusion

So how do we tie all of this together and become better InfoSec leaders than we were the day before? Remember that this is a journey and not a final destination. Your goals and strategies will change and grow over time. But the one constant you can always count on is that there is nothing constant in this industry. Information Security is a fluid space that requires us to often adjust course, swim against the tide, and sometimes lean back and float. Success in leadership, no matter the industry, is defined by your willingness to accept that leadership is a collaborative effort and requires you to listen to those around you and lean on their expertise and input.