Developing Government Cyber-Leaders

As the government pay gap grows larger with the private sector, where will the next generation of government cybersecurity leadership come from? What's the best background to enable success? Who should consider government cybersecurity roles? The public and private sectors are battling a growing list of global cyberthreats. With more data breaches, cyberattacks targeting critical infrastructure and new Internet of Things vulnerabilities, the competition for competent cybersecurity increases.

by / April 3, 2016
Shutterstock/Rawpixel.com

As we get set for another NCAA Men's Division I Basketball Championship game tomorrow night, there are many media stories about the different approaches taken by college sports leadership to achieve their program goals. What is clear is that the chemistry of these winning basketball teams starts with the coaching staff. Further, the tone and vision starts with the head coach.

There are numerous examples of top coaches that build winning programs and traditions. Now the reality, the best college basketball coaches are also expensive.

And when it comes to hot careers in technology fields, there is no role in greater demand right now than security executives with winning track records. Whether discussing a Chief Information Security Officer (CISO), or Chief Security Officer (CSO) or Director of IT Security, the best talent has become much more expensive over the past few years – with total pay package gaps widening even further between the public and private sectors.

Cyber-Leadership Strategies Seen

What’s being done in the public sector to address these problems? I have seen various cybersecurity strategies taken by governments; some are more successful than others. Here are a few winners and losers. First, the bad ideas. ...

Don’t Do This – You Will Fail Eventually

  • Ignore the problem – Some public-sector organizations deny that a good CISO is important. This is akin to denying that a good basketball head coach is important to winning in NCAA March Madness. Question to ponder: Why do so many orgs still not have a CISO or CSO – about 50 percent in this survey?
  • Just totally outsource security – Let me start by saying that some outsourcing, or “partnering,” can certainly help and make you a better team. Contractors and vendor contracts are very important, and good relationships are vital. But. ... You still need a government security leader(s) who is competent. I explain my logic on this topic in detail in this CSO Magazine blog on why government security pros are vital.
  • Hire the wrong leader – This can play out in several ways. I’ve seen some governments make political appointments or hire staff that are not qualified to lead security teams. Some technology generalists are hired as CISOs who don’t care about security and “sell the farm for a dollar.” These managers are popular (for a season) with many business and enterprise infrastructure teams, because they roll over and play dead when any difficult cybercontroversy comes along. This scenario always ends badly with disoriented teams, poorly managed security incidents, good security staff who leave.

Moral of the story: Hire someone who is qualified and passionate about security – even if they need to grow into their new role at first.

Winners - Do This to Help Succeed

  • Grow your own technology and security leaders – Use succession planning. The best scenario is when a current security leader is retiring and has the ability to plan for the upcoming transition of duties. Pick someone who is respected by the current staff and well liked by the wider enterprise can be a good move – assuming the necessary leadership and cyberskills are also in place.
  • Sweeten the package – Yes, pay is important, but not the only (or usually the most important) factor in attracting the right person. Consider the scope of authority, job functions and overall motivations of the applicant to see why the role appeals to him/her. (I discuss my motivations for staying over 17 years in government technology at the end of this blog.)
  • Hire respected pros who live in (and hopefully love) the immediate area (rather than someone who is from outside the area who is more likely to move again after a few years.) I hear a similar story from government employees all over the country – what often keeps many in government is the desire to not travel (much), be near family and raise their kids where they grew up.
  • Partner with the private sector for a brief period to get CSO/CISO help. Executive-on-loan programs have been used by the federal government for years – where a private sector professional is “borrowed” by a government for a few years. Michigan CIO David Behen used a similar approach in hiring current Michigan CSO Christian Kopacsi – who is on loan from Consumers Energy for 18 months.  
  • Bring someone back. Public- and private-sector leadership roles do not have to be an “either/or” decision. Remember that many successful technology and cybersecurity leaders move back and forth between the public and private sectors. People like Teri TakaiMark WeatherfordPhyllis SchneckHoward Schmidt and others have successfully navigated their careers in ways that benefit from a mix of public- and private-sector service.

Getting Personal: Steps You Can Take Toward a Government Security Leadership Role

Given the title of this blog, I know that some readers are likely aspiring cybersecurity leaders in government. I’m especially glad you’re reading this.

Let me start this section by saying that not everyone has what it takes to be a government cyber leader who is successful. And yet, just as Tom Izzo, the well known basketball head coach at Michigan State was once on the hot seat and is now heading into the NCAA Hall of Fame, so many unknown security and technology professionals persevere through adversity to become successful executive government leaders who make a positive difference for society.  

First, it takes the right training to become a security professional. While degrees and certifications don’t necessarily ensure you will excel as a security professional, they certainly help. I also find that technology pros who have a good experience running enterprise infrastructure within government often make excellent security leaders – if they have a passion and an “eye of the tiger” for cybersecurity.

Second, an understanding of technology processes, procedures and how government actually works (behind the scenes) is a huge asset. For example, hands-on experience with emergency management can help security leaders in table-top exercises, incident management and a long list of budgeting areas.

Third, I encourage young security pros to join a good government security team that will help them develop their skills and experience. Government jobs offer diverse opportunities that are generally not available in the private sector until much later in your career. Besides the service to the community, the breadth and depth of challenges and opportunities to grow are truly unequaled – if you find a boss who believes and invests in you.

Fourth, find a helpful mentor. Read this article for more details on this essential topic.

Fifth, when you do enter the security leadership ranks as a manager or supervisor or other new supervisory role, learn from the mistakes of others.

Final Thoughts

A few times a year, I think back and thank God for my years in Michigan government security and technology leadership. I ponder various career decisions I made along the way, such as the decision to stay in government and not jump to the private sector in 2011 for a variety of personal and professional reasons. Here’s what I wrote at that time:

“My main reasons for staying in government include a new Governor who is serious (and passionate) about cybersecurity, a desire to limit travel, a real chance to make a positive difference and reinvent cyber in Michigan government (again), opportunity to work with DHS and other top global leaders in cyber, difficulty in moving (houses aren’t selling in Michigan), our local extended family that is a great support for me, my wife and kids, a helpful, challenging church community that is hard to find and ‘the government need’ is great.”

I have no regrets about that decision, despite far less pay. In fact, I wrote these seven reasons to consider taking a government cyber job three years later.  

Bottom line, don’t just look at your immediate paycheck. Treat your career the same way as your wise investments. Invest in continuing education for life. Build skills that will last.

And reach for the stars!

Could you be the next Alex Rogan? (Watch this ...)