Recently I was having a conversation with a good friend, a good friend who also happens to be a leadership and communication expert. We were discussing the topic of leadership in the security industry and how, while there are many bosses and executives, there are few truly excellent leaders in security today. It makes sense; many senior-level security professionals have come up through the technical ranks and haven’t received any leadership training. Add to it that security professionals are often not treated like other executives, which creates a separation between what’s expected of security leaders compared to the business side. Humans, when treated negatively, often react accordingly. It’s a cognitive bias we all possess, and it means that security executives, who are often the bearers of bad news or the dissenting voice among the crowd, are frequently viewed as the antagonist, which creates less-than-friendly relations with other business units and undermines security leadership efforts.

It’s a “rock and a hard place” quandary in which many security pros find themselves. Thinking about this gave me pause. What really started me thinking, however, was when my friend proclaimed, “Leaders don’t have to hold executive positions.” This is a valid point, but how often do we, especially those of us who don’t have C-level titles or even manage direct reports, think of our leadership responsibility?

We all have a leadership responsibility, and sometimes being leader is hard. Like, really hard. Take, for example, a development concerning Jeff Smith, a new board member at Yahoo, and Marissa Mayer, Yahoo’s CEO. Smith (and three other directors personally selected by Smith) will now be advising Yahoo’s top executives, including Mayer, and the two powerhouses have a long-running and nasty feud. (Smith called for Mayer’s dismissal earlier this year.) Given the situation, both sides have had to declare a truce and present a unified front.

How smoothly will this go? It will be interesting to watch, that’s for certain.

Michael Santarcangelo, the aforementioned leadership and communication expert, and I discussed how one becomes a leader, regardless of job title. What does it take to be seen as a leader by one’s peers? Must a person possess specific qualities or attributes (e.g., the average height of U.S. presidents is two inches above the national average for U.S. males), or is a person’s actions what dictate his or her path to leadership?

What we decided is that it’s not one thing, or even a top 10 list of somewhat-generic-but-platitudinous-traits, that define a leader. It’s how a person approaches difficult situations. It’s how she reacts when someone is behaving badly or undermining her authority. It how he communicates the outcomes of the tension-filled meeting. Most of all, it’s the ability to focus on the bigger picture—the intended goal—while dodging the wires and barbs that inevitably come a leader’s way.

I’ve got a new attitude

Going back to the Mayer/Smith example, both parties will have to check their emotions at the door of their new universe. Regardless of past interactions, words flung, or media posts pitting the two against each other, Mayer and Smith will have to honestly change their attitudes (and actions) toward one another if they hope to move the business forward together. Ruminating on or refusing to let go of the past will result in petty interactions—neither of which are very leader-like behaviors.

When too many emotions are involved, everyone loses. It’s important to rise above the noise and maintain an attitude of collaboration. No one works in a vacuum; whatever the situation, it’s important to remember that we’re dealing with human beings every step of the way and that, in many cases, work-related disagreements come out of different perceptions of a situation rather than malicious intent.

A leader keeps this in perspective as she or he navigates tricky meetings, emails, and interactions with others. A positive attitude isn’t always required, but a thoughtful and respectful one is.

Do you hear what I hear?

In the same vein, a leader doesn’t just hear words being said but really listens to the other party, especially during disagreements. Many business decisions are informed opinions, when you get right down to it.

Let’s take threat intelligence as an example: A threat analyst’s job is to consume a giant amount of information that’s been collected, correlated, assigned a risk score, etc. and then make recommendations on the most appropriate course of action. All the data in the world can be at hand, but the analyst has to parse the data and make a determination. An analyst who looks at a bunch of past breaches and declares, “Ten companies in our industry have been hit with SuperStrongMalwareX so we have to batten down the hatches,” actually isn’t very good at his job. Probability should be calculated and included in the recommendation. Impact should be part of the discussion. Risk acceptance, for sure (and by whom), should absolutely be explored.

Just as the threat analyst must peruse all angles of the data and incorporate information that involves others, a leader must too. I’ve personally seen many examples of business executives hearing or reading one angle of a situation and making a decision without listening to other sides of the equation. And there is always more than one side.

When it comes to disagreements between coworkers (at any level), a good leader doesn’t pick sides; she evaluates many different aspects. Blame can only be assigned (“should” is a different matter) after a thorough understanding of the situation is acquired. How many times have you been involved in a situation where someone else goes to the boss and chews his ear, and you’re the “problem”? You’re then called into the boss’s office and questioned about your actions/motives/intentions. It’s a “guilty-until-proven-innocent” scenario. Best case, the boss does listen and changes his/her perception and/or response. Many bosses, though, want to take the easy path, and the easy path is to make the situation go away as quickly as possible. Unfortunately, really listening and taking all facets into account is hard, time-consuming work. It’s also part of what makes a good leader.

 The future’s so bright I gotta wear shades

Let’s be honest, the security industry isn’t filled with a bunch of optimists. We’re constantly on the lookout for bad stuff to happen, so it’s no surprise to anyone that security pros don’t wear rose-colored glasses. To be a leader, though, it’s essential to look at the picture and focus on where you want to go rather than mire in the minutiae of the minute. Santarcangelo positions this as having parties agree on outcomes. My view is that a leader looks at the big picture and decides, “Is the problem I am dealing with now really important in the greater scheme of things, or is it a hurdle I must jump—and which cannot consume me—on my journey to the finish line.” Looking at these two ideas together, they’re not disparate.

Let’s say you’re in a meeting with four other employees and you’re trying to decide on a website redesign. One person is focused on the look and feel of the site. Another is concerned about functionality. A third is worried that too many microsites are being created and the company doesn’t have sufficient white papers or case studies to position the organization properly. And finally, the fourth person is consumed with cost overruns.

While it’s incredibly easy to get sucked into each of these discussions—as all points of view are valid—a focus on the big picture and agreement on outcomes are both important to keep the meeting on track and everyone moving in the same direction. It may be necessary to hold breakout meetings to discuss each of these items at a later time with the appropriate individuals (i.e., the finance person might not need or want to be involved in the selection of colors for the new website), but leaders don’t allow discussions or issues to snowball into mammoth, unmanageable, multi-hour meetings. Doing so only creates greater tension, takes everyone’s focus away from individual responsibilities, and wastes time, which, in turn, spawns disgruntled employees.

Leaders find ways to evaporate tension and distractions, and the best way to accomplish these things is to 1. Know your desired outcomes, or agree on new outcomes should the scope change, and 2. Keep tying discussions back to the big picture. Come to think of it, a good leader is a little like a good sheep herder, and I mean that with only the utmost of respect. Herding sheep is extremely difficult work!

Baby, you’re a firework

Of course, there are many other skills/qualities/attributes a true leader possesses. A big one is the ability to let go and let team members do the job for which they were hired, to provide enough “rope” to allow employees to make decisions or even hang themselves once in a while. This surely won’t be the last post you’ll ever read on “how to become a great leader,” and I promise that future MISTI conferences will include sessions on security leadership.

As you think about your own role, as you plan out next week, next month, think about what your actions and interactions say about how you work with others. Maybe you don’t want to be a leader and you prefer to sit behind your keyboard and never talk to anyone. That’s OK—some people prefer that (you’ve probably bounced off this page by now anyway). For most of us, though, we want to smooth over tough conversations without sweeping problems under the rug. We want to feel like we’re accomplishing goals, making a difference, and not treating others poorly in the process. Becoming a leader takes hard work, and every environment in which you can become a leader requires new methods. As a security professional, you have an opportunity to change how you’re perceived, but that can only be accomplished by taking a good, long look in the mirror.