“I strive to put the organization's interests above my own, but I'm not an automaton.”

Twitter: @DHAhole

Some are born leaders, some achieve leadership, and some have leadership thrust upon them. I fall firmly into that last category.

Do you believe there is a massive shortage of career cybersecurity professionals?

There is only a massive shortage of qualified cybersecurity professionals because the definition of “qualified” is flawed.

I'm very involved in my local InfoSec and hacker scenes. Those organizations that have embedded themselves within our community, and that understand potential can be as valuable as referenceable experience or certifications, have been able to attract and retain some amazing talent even in this “negative unemployment” market.

Another step organizations should be taking to fill their open positions is to ensure that everyone is welcome at the table. Diversity and inclusion can't just be an HR mission statement. These aspirations must go hand in hand with equality in pay and opportunity for promotion.

How do you make hard decisions? Do you find yourself more often making people, process, or technology decisions?

If it isn't difficult, then it's not a decision; it's merely selecting the best answer from a list of options. Decisions imply consequences, and determining the gravity of those consequences is often what determines how hard the choice will be to make.

Some of the most challenging decisions are those where unpredictable externalities are involved or the information required to make an informed decision just isn't available. In those cases, your “gut feeling” may be the best you can hope for.

The hardest decisions of all for me are personal. I strive to put the organization's interests above my own, but I'm not an automaton. While I respect the privacy of those on my teams, I hope to be close enough to know their family situations and the names of their significant others and children or pets, if any. I want to know their passions, dreams, and hobbies.

I've had to let folks go who felt more like family than colleagues. While making that decision is extremely difficult, putting my entire social network behind finding them a soft landing isn't. That's just a given.

What's something that you struggle with as a leader, and how do you overcome that?

I find everything related to leadership a struggle. I don't believe that I will ever overcome that, but I can continue to work on it. Open communications, building trust, and being accepting of honest feedback are how I determine what areas to focus my efforts on.

The most difficult leadership position I've ever been thrust into was at my last duty station. Our sergeant rotated out a full six months before his replacement was scheduled to arrive. We were a small shop of four airmen. We were all equals and had formed a cohesive team. One of our team was the natural selection for the position, as his goal was to make the Air Force a career and rise through the ranks as quickly as possible. Unfortunately, I outranked him by a day, and that's all that mattered in assigning me the temporary acting-sergeant role. This changed the dynamics of the shop instantaneously, and I lost a valued friendship because of it. I was able to finally convince the base commander to have the sergeant of another shop serve part-time over our team so that I handled the day-to-day assignments and he managed the personnel issues, but the damage had already been done. Twenty-five years later I still second guess my decision to put duty first, and I'll likely take that doubt to my grave.

How do you lead your team to execute and get results?

The most important factor for any successful team is trust. In this aspect, the only difference between how I lead a team and how I contribute as an individual is that as the leader it isn't just the most important factor; it's all that matters. Every promise and commitment must be met. If they are not, then it's imperative to immediately engage the team on why they weren't. If it was due to unforeseen circumstances, then share those. If it was because I dropped the ball, because none of us are perfect, then I will own up to it and explain how I intend to make sure that it doesn't happen again. The corollary of this is also true. If one of your team members doesn't meet their commitments, then give them the opportunity to explain why and work with them on how they can prevent future occurrences.

Finally, when briefing management, always credit the team for its successes while taking the blame for its failures.

Do you have a workforce philosophy or unique approach to talent acquisition?

Of all of my responsibilities as a team leader, this is one of the most critical. Often you'll just be handed a team, which can be quite challenging. There are existing dynamics that must be considered, and many times there will be members that you would have never chosen if given the option. Work with what you have. Find ways to motivate underperformers, but don't be afraid to let toxic team members go.

The most ideal situation is a greenfield opportunity. I've had this occur only once in my career. You should already know who you want on your team before this opportunity ever presents itself. Successfully building a dream team often depends on how plugged in you are to the community, whether that's your local meetups or social media outlets. I'm not advocating for nepotism. It's not about hiring your friends; rather, it's about who you know and trust that can meet the demands placed before the team.

Once the team is in place, the best way to retain your top talent is to challenge them, provide them with an attainable career path within the organization, and provide meaningful training opportunities. The latter is something I focus on as a team leader. I know many managers who discount conferences like Defcon or BSides as nothing but opportunities to party, but I feel that it's during these social events that true relationships are formed, which then become the potential for future hires.

This brings me to my final recommendation on this subject. You shouldn't just rely on your network; you should leverage the network of the entire team. If, as a leader, you've properly set the expectations of accountability, then nobody is going to recommend somebody just because they're a friend. You're going to get referrals for people who are going be outstanding contributors.

What are your communication tips for interacting with executive leadership?

All communications with executive leadership should be the culmination of your interactions with your boss, peers, direct reports, and the rest of your team members. It should be a bottom-up approach. Your team members and direct reports will provide the information you need to formulate the best options available. Leverage your peers to vet any and all recommendations, and work with your boss to help massage the message into a format that will be most readily digestible by executive leadership.

The goal should be to make this less of a decision for the executives and more of a selection of the best option from those provided.

How do you cultivate productive relationships with your boss, peers, direct reports, and other team members?

Again, it's all about trust. All of your promises, commitments, and actions should be focused on increasing your trustworthiness. It's good to be liked, but it's better to be trusted.

Have you encountered challenges collaborating with revenue-generating teams like sales and product development?

This can be one of the most challenging relationships. As a delivery consultant for penetration tests or as a leader of a pentest team, I am also revenue-generating. We don't get the gig in the first place, though, without sales.

The sales team always seems to be chasing the pretty penny. Red team? Yes, we do that! And then they scope it as a traditional vulnerability scan or penetration test. Most of the time, though, the client doesn't understand what they want either. In the end, it boils down to education of the sales team and expectation management of the client.

Have you encountered challenges collaborating with technology teams like information technology and software development?

In my roles I've had limited experience with this. When our company was first acquired, the acquiring company had a strict data security policy. Only authorized applications were allowed on corporate assets, and client data could not be stored on noncorporate assets. Unfortunately, at the time, the only tangentially related security applications allowed on corporate assets were PasswordSafe and Ethereal. We couldn't have a BackTrack instance or install Nessus because those weren't authorized on corporate devices, and if we installed them on noncorporate devices, then we were violating the policy regarding client data collection. Imagine performing a penetration test with just a password vault and a packet capture application! We successfully worked with the CISO to create a policy exception. Our testing laptops would adhere to the intention of the corporate security policy but would not be restricted to authorized software. The only caveat was that these devices could never connect to the corporate network.

Do you have any favorite books to recommend for people who want to lead cybersecurity teams?

While we should always be learning, one's preferred format for ingesting information is irrelevant. It doesn't matter if it's from a book by an expert in the field or from formal education, online videos, podcasts, on-the-job training, interaction with our self-selected mentors, or even just our day-to-day experiences. How we learn is less important than what we learn.

That said, The Phoenix Project by Gene Kim has done more to inspire and help me become an effective security leader than anything else.