In the Cyber security arena, we see a lot of self-proclaimed security guru’s in the media these days making a day-job out of chasing ambulances. For those that don’t know the term, an ambulance chaser is somebody looking for a victim and telling him or her what went wrong and why he/she should do better next time. For example, a lawyer who seeks to encourage and profit from the lawsuits of accident victims[1]. Most of them will tell the world, after a security incident or breach how easy it was to prevent such an incident (e.g. the Kaseya, SolarWinds and Maersk incidents were parroted by countless security “guru’s” on LinkedIn). The incentive is often to chest pound themselves, and prevail above others to either sell themselves, a service or a product. You can ask yourself, are these people who really have or had end responsibility for cyber security? Did they experience a serious security incident themselves? Or do they have hands-on experience in actually fixing the damage after the proverbial “Shit has hit the Fan”? Or are they bystanders, coaches, advisors. Meaning that they perhaps never did more than just assessing, advising or has never been responsible for making things secure. In this blog we shed light on these bystanders and their “Duck” behavior and on the “Eagles” that really Leads cyber security against the silent enemy.
Eagles and Ducks
As mentioned in our book “Leading in Digital Security”[2] we don’t think that a negative approach will help bring security to the level that we need. A clear explanation about these types of ducks is given by Dr. James Reese in “Ducks and Eagles”[3] Eagles are strong, take care of others and deliver results, Ducks, walk around quack, looking for leftovers, making noise about everything and only respond if they are poked. They complain about everything and do that clamorous.
In Cyber Security you can recognize Ducks by their focus on following processes and policies, complain about budget and lack of mandate, not being able to sell the message internally and think and act out of the silo. Some examples of behavior of the Eagles in Cyber Security: They cover the entire empire, know important stakeholders, know the forces they operate in (see also: Porters’ 5 Forces Elements for a Digital Security Strategy) and is razor sharp on innovations, silent enemies and leads the group including their bosses.
As you can imagine, the ambulance chasers who are parroting each other fall into the Duck category.
In general, we understand that we are not all eagles, and you sometimes need a duck for the right biodiversity in the bird kingdom. However, business leaders all like to work with eagles, focused, razor-sharp, goal oriented and delivering results.
We’ve developed 6 traits for cyber security experts to become eagles, and to lead and deliver on the promise.
Be Humble
A survey of 105 computer software and hardware firms revealed that humility in CEOs led to higher-performing leadership teams, increased collaboration and cooperation and flexibility in developing strategies[4]. Also, Jim Collins found two common traits of CEOs that change companies from average to superior market performance: humility and an indomitable will to advance the cause of the organization[5]. Humility is not thinking more highly of yourself than you ought. So, it’s better to show actual results than just talking about what might be.
Show Character
Like the Eagle you need to show character. Show Ownership, Authenticity and Craftsmanship, and an inborn will to learn. Live by strong values, act with integrity, show empathy to others, have the discipline to act consistently and be a warrior. This also means being honest about your own limitations and knowing when you need to ask for help. We learn a lot from talking to our peers and especially share with them what didn’t went so well. In the end, this character will yield the right gravitas that will persuade people to listen and collaborate.
Be an Intellect
This means that you need both IQ and EQ. IQ relates to the power or faculty of the mind by which one knows or understands and certainly doesn’t mean that you have the most titles before or after your name (although certain institutes will tell you the opposite since they make money out of this). IQ also means: mental agility, ability to adjust yourself quickly to new ideas or in uncertain situations; a sound judgement, objectively and well calculated; innovative; interpersonal tact to effectively interact with others and have expertise. Expertise means not only having the right technical or theoretical skills and know-how, but also the expertise to collaborate effectively. IQ without EQ is therefore a dead-end. EQ is the ability to recognize emotion in yourself and others, and to use that awareness to guide your reactions, decisions and in essence the ability to “read” and “influence others.
Develop others and yourself
Life is a rollercoaster. You can either fight change or embrace the opportunity to learn more. We all know that the best way to survive is to adapt to change, so stay foolish, stay hungry[6] and be your own critic. Also make sure that you create a positive environment for others to develop, because your team will never win if you want to remain the best of the pack. Consider training people “on-the-job” in line with the 70:20:10 principle from Charles Jennings[7]. This principle assumes that a working professional learns 70% through non-professional trainers or teachers. For example, from colleagues, friends and relations in the working environment. We learn 20% through coaching and mentorship and 10% through formal training and courses.
Take Ownership and Show results
In the end it’s all about results. You’re not making any progress by constantly telling what others are doing wrong or by producing PowerPoint slides with advisories or scenario’s that can or will unfold, when these will only happen in theory or as perceived black swan scenarios. You make progress by taking ownership of the problem, the design of the approach to solve it, the goals and ultimate the delivery of tangible results. In some cases, you probably are unable to deliver results for whatever reason. When you do, take ownership, be sincere, even if that means that it’s time for you to move on or go. Because as said by Nelson Mandela “The greatest glory in living lies not in never falling, but in rising every time we fall.”
Spend more time Upstream preventing the silent enemy than downstream chasing him away.
An eagle selects a perfect perch from where he can spot his next bit of food. This perch is selected with care, by applying past experience and inbred cunningness. He also takes his time before leaping into action. All of this has to do with the capability of prework and study of the environment, so that he covers all the angles. The duck on the other hand lives only down-stream, they do no pre-study and hence do nothing that looks like planning. In his brilliant best-seller Upstream Dan Heath[8] says “Be impatient for action but patient for outcomes. The world is full of groups who engage in lofty discussions, like Ducks—and feel virtuous doing so—but never create meaningful change. Change won’t come without upstream action.” Therefore, being an Eagle as per our definition in Cyber war against the silent enemy, is an upstream hero, a moment maker, the goto expert for the whole organization.
When eagles are silent, parrots begin to chatter[9]
In our book we generate 12 important lessons to combat the silent enemy. Those are the enemies we can’t see with our own eyes, but we know, feel and sense that it is there. The eagle sees and hears his target from miles away. To win this cyber war we need more diligent, razor-sharp minds, determined mindsets and craftsmen to observe, address and deal with an issue or incident, an Eagle we would say. These people deliver tangible result and often don’t have the time to celebrate them. They are servant leaders that are busy enabling the business by removing security measures where they can be removed. They form coalitions inside and outside the company and orchestrate security impact throughout the supply chain. These are the people that usually don’t just stand and watch (and tell afterwards what went wrong) during a crisis, but they act without going for fame. So, let’s stop chasing that ambulance and really listen to truly understand how you can learn from our own and other’s mistakes.
By: Mark Butterhoff & Yuri Bobbert. Big thanks to Willie Appel
[1] https://www.thefreedictionary.com/ambulance+chaser, The origins of this phrase date from 1897, from newspaper articles about attorneys seeking clients through targeted mail solicitation. “Ambulance chasing” was one of the descriptive phrases employed by the media for this activity. It later became a derogatory term for direct advertising.
[2] https://books.apple.com/nl/book/leading-in-digital-security/id1533828023?l=en. The Book Leading in Digital Security describes 12 ways to combat the silent enemies in cyber security and is the cookbook for any CISO who wants to Lead in the digital era.
[3] https://www.youtube.com/watch?v=e5jYAVTaopY. This video from Dr. James Reese explains the difference of leaders and servants and the parallel to Eagles and Ducks in the bird-kingdom.
[4] Do Humble CEOs Matter? An Examination of CEO Humility and Firm Outcomes, Amy Y. Ou, David A. Waldman, Suzanne J. Peterson, September 21, 2015, Journal of Management
[5] Good to Great – Why Some Companies Make the Leap… and Others Don’t, Jim Collins, 2001
[6] “Stay foolish, stay hungry”, Steve Jobs, the late Apple co-founder being called the Thomas Edison of his time, revealed in a commencement speech at Stanford University in 2005 (https://www.youtube.com/watch?v=_vdT7191l3E)
[7] https://702010institute.com/author/charles/. In this article Charles Jennings explains the 70/20/10 learning rule on how to adopt to knowledge.
[9] “When eagles are silent, parrots begin to chatter” Winston Churchill (British politician and Prime Minister, army officer and writer)