“I adapt my style of leadership to the situation at hand. I attempt to distinguish whether instructing, coaching, supporting, or delegating is the best response at any given moment.”

Twitter: @ian_InfoSec • Websites: www.spyglassltd.com and www.linkedin.com/in/FindEvil

Jackie Singh is the founder of Spyglass Security, a consultancy specializing in helping businesses develop and implement effective cybersecurity strategy.

Jackie became a Linux enthusiast at age 12 and became deeply involved in the world of hacking, eventually leading her to become an information security professional. Her most recent roles have led her to serve as principal consultant at Mandiant/FireEye, as global director of incident response at Intel Security/McAfee, and as a senior manager at Accenture.

Prior to her work in the commercial sector, Jackie served in the U.S. Army and spent several years in the Middle East and Africa working on technical projects.

Do you believe there is a massive shortage of career cybersecurity professionals?

The supposed gap between the raw availability of qualified information security professionals and increasing numbers of cybersecurity jobs is overblown. Instead of a skills gap, I believe what we're actually experiencing is a misalignment between the true requirements of organizations, how those needs are represented outwardly to the marketplace, and the types of training available for job seekers.

Companies rarely dig deep to validate role requirements. This often creates a mismatch between actual roles and their descriptions. Job descriptions with incorrect or vague requirements can drive job seekers to consider training that may not be the most appropriate to support their actual chances of getting hired. Companies also often do not budget appropriately for the professional development of employees. Internal training teams are rare, concerted efforts to build internal training programs are few and far between, and external training programs are often criticized for their high costs in terms of both pricing and time away from the job. If you can't train an employee, you'll be incentivized to try to identify candidates who already have all the skills you need, which puts you at a severe disadvantage as the hiring manager and disincentivizes potentially qualified candidates from applying.

It's best not to open a new position to solve a problem if other members of the security operations team can develop a new skill or if a motivated employee from the IT department can gain a new responsibility and serve as a useful bridge to SecOps. Often, the need to hire a new employee can be shelved in favor of building or improving processes. Organizations sometimes prioritize technology as a “magic bullet” and fail to plan for staffing altogether, draining budget that could have been used for training or hiring.

Organizations sometimes prioritize technology as a “magic bullet” and fail to plan for staffing altogether, draining budget that could have been used for training or hiring.

The best answers for closing these gaps are more deeply embedded within the true needs of the organization, so my advice is to make sure you know what those are and align them well to your roles and job descriptions before making staffing decisions.

How do you make hard decisions? Do you find yourself more often making people, process, or technology decisions?

Developing a personal library of decision-making models (for example, the Pareto principle) has been valuable for me over the past few years to support the data needed to answer difficult decisions well. Models help simplify and organize and are pragmatic. While they don't provide answers on their own, models help us structure chaos and reduce complexity by concentrating on what is most important.

I find technology decisions are often more straightforward than those involving people or process, which are more critical to get right and take more time to understand.

How do you lead your team to execute and get results?

I adapt my style of leadership to the situation at hand. I attempt to distinguish whether instructing, coaching, supporting, or delegating is the best response at any given moment. This follows the Hersey-Blanchard model for situational leadership, which suggests employees should be led in such a way that managers become superfluous. This means leading generously, sharing knowledge openly, and trusting the team to perform.

This is also similar to the way I contribute as an individual—by maintaining flexibility and continually seeking the best collaborative approach.

Do you have a workforce philosophy or unique approach to talent acquisition?

Treat information security talent like any other talent. Have respect for the unique approaches that diverse individuals and their experiences can bring to your organization. Compensate them fairly and equally.

Have you created a cohesive strategy for your information security program or business unit?

Developing a diplomatic approach is critical for any leader. While your team is critical to the functioning of your program, you won't get it off the ground and continue to grow its scope and budget unless you are skilled at the art of obtaining buy-in from executive staff, other critical pillars/junctures within your organization, and your peers.

Finding out more about the day-to-day business and responsibilities of other teams outside of security will improve your ability to find areas of mutual interest, which are critical to advancing your team's agenda.

What are your communication tips for interacting with executive leadership?

My most helpful communication tip is to cut down any information that isn't necessary to understand the big picture of what you are attempting to convey. Tailoring your message for an executive audience means limiting technical detail and elevating the most important statistics.

It is also important to distinguish problems from opportunities and to show you know the difference.

How do you cultivate productive relationships with your boss, peers, direct reports, and other team members?

The human side of this work is often overlooked. Seemingly small actions, such as ensuring that credit is given when due, recognizing hard work, being giving of your time to share knowledge, or getting in touch if you suspect someone is going through a hard time can go a long way toward creating lasting relationships.

This is a small industry, and you are likely to run into the same people again and again over the course of your career.

This is a small industry, and you are likely to run into the same people again and again over the course of your career.

Have you encountered challenges collaborating with revenue-generating teams like sales and product development?

I encourage you to try to identify areas of mutual interest. Understanding other teams' definition of success is valuable information you can use to help drive outcomes.

Have you encountered challenges collaborating with technology teams like information technology and software development?

IT and development teams don't have a great grasp on security. Leaders who can reduce complexity, keep their ego in check, and provide supportive reassurance will be most successful in working with teams with competing priorities. We're all in this together.