Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

10 Signs of a Poor Security Leader

Weak leadership can demotivate and demoralize the security workforce. Here's what to look out for.

Joshua Goldfarb, Field CISO

March 9, 2022

4 Min Read
Concept of businessman liar and his shadow, which shows a growing nose a la Pinocchio
Source: Elnur via Adobe Stock

Many businesses are concerned about attrition — and for good reason. Few fields feel this pressure more acutely than the security field. While companies cannot control the tight labor market, they can control some of the factors that cause employees to leave.

Many factors contribute to departures, but bad managers are consistently ranked among the top factors, if not the top factor. A poor security leader, in particular, can have a disastrous effect on the security team. So how can organizations tell whether they have a poor security leader in place? Here are the top 10 signs.

1. Inability to think strategically: In my experience, the ability to look ahead, to identify the right direction, and to see how to get from the current state to the desired future state is not a common trait. While many positions in security don't require it, a security leadership position most certainly does. Poor leaders don't have this ability, and it shows up as constant meandering and zig-zagging.

2. Running from crisis to crisis: As mentioned above, poor security leaders are not strategic and methodical. They can't think ahead, can't see potential issues, and can't preempt crises. Thus, they spend most of their time running from crisis to crisis and actually impede their security team's ability to make progress.

3. Hesitance to put anything in writing: Writing things down brings certainty, direction, and accountability — all of which poor security leaders run from. Sadly, these leaders often believe that what isn't written down can't be used against them. This is unfortunate, as it creates a security organization full of confusion, lacking direction, and desperate for someone to take ownership and responsibility.

4. Words and actions don't align: I've never been a fan of those who operate via "do as I say, not as I do." Most people I've worked with aren't fans either. It's easy to pay lip service to issues needing attention. It's much more difficult to understand them, identify root causes, develop a plan to solve them, and then implement that plan successfully. Poor security leaders use words whereas their better counterparts use action.

5. Poor communication skills: Security leaders need to work hard to build trust with team members, executives, customers, partners, and other stakeholders. A big part of this is good communication skills. Poor security leaders don't have the requisite skills, and they often cause a loss of confidence and trust. When this feedback comes in from stakeholders — and, in particular, customers and partners — it is never a good thing.

6. Suppressing talent: While we expect a leader to nurture and cultivate talent, poor security leaders do the opposite. They suppress talent. Perhaps they believe that top talent is wise to them. Perhaps they fear that top talent might be too successful and look too good. Whatever the reasons, if an organization's top talent is suppressed, it is a bad sign.

7. Self-centered: Good leaders listen more than they speak; at the very least, they listen before they speak. They put their teams ahead of themselves and get them what they need to be successful. Poor leaders do the opposite. They are focused on saving themselves from crisis after crisis. As a result, the needs of the security team go unaddressed, initiatives don't move forward, and frustration and disappointment grow. Since poor leaders don't listen particularly well, they can't hear the storm coming and, thus, continue to focus on only what they need.

8. Does not make tough decisions: Leadership demands decision-making. Not every decision is easy, but every decision is important. The toughest decisions test a leader. Poor leaders might try to pawn off decisions on others or dodge decision-making in other ways — but in the end, the decision won't get made. This leaves their security teams in a state of paralysis; the security posture of the organizations suffers as a result.

9. Does not answer tough questions: Poor security leaders can't stand being held accountable for answers to tough questions. Thus, they will avoid them, change subjects, stall, or use a variety of other evasive techniques. Needless to say, as more stakeholders witness the leader dodging tough questions, trust and confidence in the security team erodes rapidly.

10. Takes cover (and credit): Poor security leaders are often quite good at co-opting allies to cover for them — yet they seldom or never give kudos. They are quick to point the finger when something goes wrong, but when things go right, they rush to take the credit. At some point, their allies may get wise; if they stop covering for the leader, look out.

While organizations cannot stop attrition entirely, they can control some factors that contribute to it. By looking for and removing weak "leaders" within their security teams, organizations can reduce the risk that the security workforce will become frustrated, demotivated, and demoralized. This facilitates lowering the rate of attrition to a more manageable level and helps security teams work more effectively to improve their organizations' security posture.

About the Author

Joshua Goldfarb

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights