“I care deeply about the people I manage, and I want to see them happy, supported, and developing well, but this does take significant time.”

Twitter: @ian_InfoSec • Website: securityleadership.ninja

David Rook is the European security lead at Riot Games. He has worked in technology for 18 years and in the information security space full-time since 2006. Before moving into the computer games industry, David held various application security roles in the financial services industry. He has presented at leading information security conferences, including DEF CON and RSA.

Do you believe there is a massive shortage of career cybersecurity professionals?

I think the answer to this question is that it depends on what you're looking for. I do think we have a shortage of experienced (10+ years' experience) individual contributors and leaders but not of cybersecurity professionals. Cybersecurity is still quite a young profession, so that's to be expected and something current leaders in this space should be focused on addressing.

I feel we're currently seeing more young people than ever interested in and studying toward becoming a cybersecurity professional. What we need to see is more leaders willing to give these people a chance without ridiculous requirements and expectations in job descriptions.

I also believe most hiring managers and leaders fail to look outside of the obvious pools of talent when hiring. If you understand the traits that are important in cybersecurity professionals, you can find them in people in every area of tech if you put the time into looking. My current team is a 50/50 split between those who had jobs in this industry before we hired them and those who didn't. We've hired excellent cybersecurity professionals from networking, IT, and software engineering backgrounds.

How do you make hard decisions? Do you find yourself more often making people, process, or technology decisions?

In an ideal world, I prefer to take time to think a lot about hard decisions I have to make. I prefer to collect all of the relevant information and speak to key people who can add additional context for me. Once I've got all of that, then I mainly just think multiple options over in my own head until I feel I've narrowed it down to the best one or two options. I'll often then share my thoughts with a few colleagues whose opinions I really respect before communicating my decision. I never like to rush hard decisions, so where possible I'll take as much time as I think is needed to consider options. We obviously don't live in an ideal world, though! At a recent large live event for my employers, I had to make some hard decisions about a core part of the event with very little time (I was in bed when I was called to help with this problem!). I still largely followed the same approach but with a more condensed timeline. I gathered all the people who could help troubleshoot and provide more context, and I found a quiet corner in the venue to think over the options before sharing my thoughts with a couple of senior leaders to get their thoughts.

My decisions nowadays tend to be process and people focused. I do provide input on technology decisions on a daily basis, but I defer to those closer to the problem than myself where I can.

What's something that you struggle with as a leader, and how do you overcome that?

This question is an easy one to answer but one I still struggle with. I moved into a people manager and leadership role at the same time, and I've often struggled with where to spend my time. I care deeply about the people I manage, and I want to see them happy, supported, and developing well, but this does take significant time. I find that some people will take more and more time without ever considering the impact on my day or plans. As a leader, I'm the one who needs to learn to say no more and offer an alternative time to chat or meet if it's not convenient.

I've found that explaining to my team what I'm actually working on and the deadlines I have helps with this. I also take advantage of flexible working hours and working from home to make sure I get the time I need to do work.

How do you lead your team to execute and get results?

I make sure my team sees the real me and not some manager/leader act I've seen others put on. I focus on building positive relationships with the people I lead and ensure that they understand I care about them and actively support their development. If people feel psychologically safe and supported, they are able to perform at their best. Relationship building outside of my immediate team is also vital to ensure that we know what the business is doing and what they need from us, and it's an opportunity to champion our efforts.

Have you created a cohesive strategy for your information security program or business unit?

I've created and championed several important security strategies in the six years at Riot Games. My first strategy was for the application security program, and I spent a lot of time understanding the needs of the company before writing it. In this case, I spent time speaking to security and technology leadership to understand the goals of the product and discipline I was part of. This progressed to me meeting software engineers and product leads of key products to understand their goals and needs from security. This allowed me to develop and publish a strategy that launched an application security program that was aligned with the security and technology goals of the company. The strategy and vision for this team has been revisited over the years to ensure that this continues to be the case.

When I was writing our European security strategy, I iterated on this approach and spoke with many more people. I spoke with country managers, product leads, and individual contributors across Europe from every business unit we have. I could only create an impactful strategy by understanding their goals and needs.

What are your communication tips for interacting with executive leadership?

Understand what they care about in their role and in turn what they need to know about cybersecurity and how it impacts that. I think it's also important to tailor your messaging based on their view of the world and what they care about. You will often need to drop the technical jargon and description of issues, be factual, and drop a lot of the hype around problems. I've found that giving a high-level description of your concerns, the impact on a product/business, and an explanation of what you need from them works well.

How do you cultivate productive relationships with your boss, peers, direct reports, and other team members?

Be genuine, factual, and vulnerable. This has allowed me to create good relationships with people at every level in an organization. When it comes to the people I manage, I try to ensure that they understand where I see them fitting into the bigger picture, the value they deliver right now, and where they can grow going forward. If people feel you're supporting them and helping them progress, they'll go to great lengths to meet your expectations and deliver value for cybersecurity and the company.

Do you have any favorite books to recommend for people who want to lead cybersecurity teams?

• The Leadership Pipeline by Ram Charan, Stephen Drotter, and Jim Noel is a book that a friend gave me before I even became a leader. It's a book I feel all leaders should read, as it helps you understand how to identify and grow future leaders.
• The Culture Map by Erin Meyer is a fantastic book that will arm you with the knowledge you need to factor in cultural differences in your leadership role. It is easy to make mistakes when your worldview is limited to your own culture and experiences.
• Leading Snowflakes by Oren Ellenbogen is my final recommendation. It helped me make the transition from being a security engineer to being a security leader with people management responsibilities. It helped me figure out what my days should look like and how to redefine value/good work in my mind. It's a must-read for anyone making the transition from a purely technical role to one where you manage and develop others.