Leadership Lessons for Security Teams
Oct 2024Here are proven leadership principles that I've learned, by doing, tailored for security teams, from SOC analysts to security executives.
Play Well With Others, But Stay Alpha
Your incident response involves IT, legal, communications, and executive teams. Be collaborative, listen to everyone's input, but when it's time to make the call on containment or remediation, own that decision. Don't lead by committee during a crisis.
Confident Assertiveness Has Its Place
When you're briefing executives about a breach, speak with authority about what you know. When you suggest security measures, be clear and direct, don’t water it down with too many disclaimers. Your team and leadership need to trust your judgment. A little swagger helps build that confidence.
Train Like You Fight
Run tabletop exercises monthly, not annually. Practice your incident response playbooks until muscle memory kicks in. When real attacks happen, you want your team operating on autopilot, not scrambling to remember procedures.
Know When to Break the Rules
Your security policies are guidelines, not written in stone. If standard procedure says "escalate to management" but the attack is moving fast and management is unreachable, make the call yourself. Document it later, act now.
Build Trust Through Competence
Your authority comes from being the person who spots the issues others missed, who keeps systems running during the attack, who calmly coordinates response when everything's on fire. Prove your worth in small crises to earn trust for the big ones.
Move Fast and Accept Risk
When indicators suggest lateral movement in your network, start containment procedures. You can refine your response as forensics reveal more details. Perfect attribution can wait, stopping the breach can't.
Communicate Up and Down the Chain
Keep your CISO informed of emerging threats, but also make sure your analysts understand the business context of their work. The SOC needs to know why protecting the customer database matters; executives need to understand why that "minor" vulnerability is actually critical.
Own Your Failures and Learn Fast
After every incident or issue gather your team and dissect what worked and what didn't. Was communication clear? Did tools perform as expected? What would you do differently? Turn every crisis into a training opportunity. AARs are your friends.
Stay Humble About What You Don't Know
You don't have to be the world's expert on every type of attack vector. Know when to escalate to specialists, when to bring in external forensics support, when to admit uncertainty. Your job is solving problems, not protecting your ego.
Prepare Your Successor
Cross-train your team so operations don't collapse when key people leave. Document not just procedures but decision-making processes. Share knowledge freely, your team's success depends on everyone being able to step up when needed.
Mission First, People Always
Sometimes security decisions require accepting business disruption to protect the organization. But take care of your team too: the SOC engineers pulling 16-hour shifts during incident response, the engineers implementing emergency patches on weekends. Mission success depends on people success.
Trust Your Training When Everything Goes Wrong
In the middle of a major breach, stick to your processes. Trust your incident response procedures, lean on your team's expertise, execute what you've practiced. Chaos is when preparation pays off most.