“I believe strongly in leading by example. In many cases, this is the difference between being a manager and being a leader.”

Website: RayRedacted.com

Ray [REDACTED] is the vice president of technology at a global solutions provider focusing on cybersecurity solutions for multinational corporations. In addition to a degree from Purdue University and numerous industry certifications, he has 22 years of frontline experience in the prevention and mitigation of attacks from cybercriminals, hacktivist groups, and nation-state actors. Ray frequently teaches advanced security for global corporations, as well as federal and international law enforcement agencies. Ray has spoken at InfoSec conferences such as Black Hat and Shmoocon, as well as teaching classes on operational security (OPSEC) at cryptocurrency conferences globally.

Do you believe there is a massive shortage of career cybersecurity professionals?

There is no question that we are facing a massive shortage of cybersecurity professionals. Analysts and statisticians say this gap may soon be as large as three million unfilled jobs worldwide. To bridge the gap, we need to both increase the supply of workers and decrease their workloads.

First, this means making serious and concerted efforts at diversity and inclusion initiatives, including providing more opportunity for members of under-represented communities. Increasing diversity in the InfoSec workforce has the additional benefit of making our security teams not only bigger but also stronger, because having different backgrounds and experience provides better views of events and more thorough problem solving.

Beyond increasing the pool of workers, we should strive to reduce the workloads for cybersecurity professionals by reaching out to “deputize” other departments to become part of the cybersecurity workforce, even within their current roles. Security should not be considered the sole responsibility of a “department,” just like fire prevention should not fall on one department. The entire corporation should be aware of how to prevent fires, where the fire extinguishers are, and how to respond when they smell smoke.

Security should not be considered the sole responsibility of a “department,” just like fire prevention should not fall on one department.

Additionally, I believe that we have technologies and tools that can significantly reduce workloads by acting as so-called force multipliers. Machine learning and artificial intelligence show incredible promise here, and their impacts will continue to grow.

What's the most important decision you've made or action you've taken related to a business risk?

The hardest decision I have made was leaving a job I was extremely comfortable in so that I could start a new career that stretched both my abilities and my comfort zone. I chose this path because I saw an opportunity to grow both in technical ability and business acumen. In hindsight, this decision now seems obvious, but at the time it was rather scary.

How do you make hard decisions? Do you find yourself more often making people, process, or technology decisions?

I find that the three are inextricably linked, especially on the most difficult decisions. When faced with making the most difficult decisions, I try to never do it in a vacuum. This usually means discussing challenges and ideas with my support networks, including the informal ones.

Mentors are important in difficult decisions. It is extremely important to both be a mentor to others and to have a mentor yourself. As supported by countless studies from multiple social science fields, mentorship is directly associated with professional success for all parties.

It is extremely important to both be a mentor to others and to have a mentor yourself.

What's something that you struggle with as a leader, and how do you overcome that?

I frequently speak to large groups, giving prospective customer presentations, training, and even keynotes at conferences. In this role, especially the last one, I often struggle with what psychologists call imposter syndrome. For me, these feelings of self-doubt or inadequacy often result in procrastination. The connection between procrastination and imposter syndrome is that by waiting until the very last minute to work on a speech or keynote, even if the job isn't done well, you can rationalize the outcome. “Well, that wasn't so bad, considering I didn't even start it until the last minute.” I have been struggling to overcome this as a leader. While I don't have a solid solution for it, I try to stay cognizant of it. Awareness is step number one.

How do you lead your team to execute and get results?

I believe strongly in leading by example. In many cases, this is the difference between being a manager and being a leader. As is often cited, “Managers have people who work for them, but leaders have people who follow them.” It is important to know the difference and to strive to do both.

Do you have a workforce philosophy or unique approach to talent acquisition?

At the company I work for, we strive to promote from within to “grow our own” talent. This is particularly true in the SOC environment, where alert fatigue and burnout can cause morale issues.

Have you created a cohesive strategy for your information security program or business unit?

While it is extremely important to create strategies and plans, in my experience it's the execution that often presents more challenges than the creation of strategy. The path to ensuring that these goals are aligned with corporate strategy is simple: communicate, communicate, communicate.

What are your communication tips for interacting with executive leadership?

One of my mentors has a somewhat tongue-in-cheek expression: “Ray, there has never been a single important piece of information that was delivered after the 30^th minute (of a conference call) or after the third slide.” I always try to remember this when presenting information to executives. Keep it short, concise, and clear.

Another often cited (but often forgotten) tip is to never present a problem without presenting at least one proposed solution. This is often easier said than done but is absolutely vital when communicating with executive leadership.

Never present a problem without presenting at least one proposed solution.

On the other hand, when communicating with your peers and direct reports, brevity is not nearly as important as it is with executive leadership. In this case, it is much more important to be thorough in your communication and especially thorough in listening and absorbing their viewpoints.

How do you cultivate productive relationships with your boss, peers, direct reports, and other team ­members?

One of the most important things to realize is that almost everyone has a preferred mode of communication: some people naturally prefer face to face or phone calls, some prefer emails, and many prefer instant messages. You should not necessarily use that method exclusively, but most people are more receptive when you communicate with them via their natural channels. Beyond this, it is important to emphasize that you have a shared mission. In the InfoSec arena, this is about identifying and reducing risk.

Have you encountered challenges collaborating with technology teams like information technology and software development?

I would say the biggest challenge when collaborating with software development and other IT teams is that their priorities are not necessarily aligned with yours. Additionally, security is often (erroneously) viewed as an impediment to software or product development. However, this should not be the case, and here is why…

One of my favorite analogies about InfoSec has to do with the Shinkansen trains in Japan. These are the so-called bullet trains that regularly travel at 200 mph. The reason these trains travel so fast is not because of the technology involved in the acceleration; it is actually because of the innovations in braking. The brakes aren't there to make the train constantly go slower; they are there to enable the train to travel faster! Similarly, properly implemented information security controls can be a business enabler rather than a hindrance. Good brakes empower faster trains.

Do you have any favorite books to recommend for people who want to lead cybersecurity teams?

• The Woman Who Smashed Codes by Jason Fagone. This is the incredible story of Elizebeth Smith Friedman, who helped start what we now call the NSA and was an absolute badass.
• Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World by Joseph Menn. This is an absolutely compelling tale about one of the most influential hacking groups ever.
• Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg. This has incredible in-depth reporting on nation-state activity.
• Dark Territory: The Secret History of Cyber War by Fred Kaplan. Basically this is a textbook on the newest realm of warfare.
• The Hitchhiker's Guide to the Galaxy by Douglas Adams. It's still one of the funniest sci-fi books ever written.

I tend to choose my reading materials based on what I see on InfoSec Twitter. This probably explains why all my recommendations are InfoSec-related!