Deep Dive: Disruption is not dictated top-down

Personal learning experience
When my son was born a couple of years ago, I had to change my perspective on control in my personal life from one day to the other. As a new father, I had to realize that there is almost no control and I have to trust in the amazing capabilities of this young child. Trying to keep control would just end up in anger and frustration and would not help my son grow and learn. I learned that the best approach for me is to enable my son to experience things himself. This means, for example, climbing up somewhere and sometimes not being able to climb back down.

Where I am needed most as a father

If he climbs up somewhere, I already know: “It’s dangerous, and he needs to be careful to not climb too high”. When he experiences the feeling of danger, however, this will result in real learning. I have to motivate him to experience those feelings but I need to be there just in case he cannot get down any more by himself, or I need to catch him if he falls. When he hurts himself, I need to be there to console him so that his overall experience is not too bad and stays a positive learning experience.

Sometimes I am very surprised about my son’s tactics and methods to achieve something. Very often this is different from what I had in mind but it is not about the how but about the end result - and the experience of success provides the most sustainable learning moments. I, on the other hand, learn to trust his skills and abilities to take care of his own. Too often I under-estimate what he’s already capable of.

Ask the right questions

You can transfer that to your professional life as well. I consider it almost a human instinct to learn by experience. As a CISO, I am a leader and you could also say the ‘father of Cybersecurity’. I know what can go wrong and I know tactics that have proven effective. Yet I cannot control everything, so trust in the skills of our employees is essential.

Over the years, I have learned that I need to ask the right questions, learn to listen, and step down from my horse and be part of the people that need to actually achieve security.

If you ask the right questions, they will come up with tactics and tools by themselves and learn from the success by their own experience. Sometimes a simple “What do you recommend?” or “How would you solve the issue?” changes the perspective of your developers. They will start thinking like they would be you, as if security would be part of their DNA, too.

Try a new approach

I got deeply inspired by the Intent-Based Leadership approach from David Marquet.

As a CISO, you should not dictate which tools should be used. You inform the team about what you would like to achieve, motivate them, and let them come up with a solution. If they struggle, you can still help a little bit while giving them the feeling that they are part of the process. This experience will help them grow and achieve things by themselves.

I certainly try to do it this way - and yes, I also sometimes fall back to old behaviours. These are some experiences I had with this approach:

1. Once, in the middle of a discussion about “low hanging fruit audit findings”, a tech lead mentioned ‘helmet’, a little but great tool for setting the right http-headers. I had not known this tool and now I know it is awesome.  We now even look at implementing it in other areas, too.
2. Another time I had a discussion with a developer from our Real Estate Portal (Homegate) about how you can protect lambda functions. He showed me ‘puresec functionshield’. I had never heard of that, but it’s a great tool that increases the security of your lambda functions by setting privileges and connection rules during startup of your function.
3. I also remember when we developed our new platform for 20min. I tried to motivate the dev team to include security from the beginning. Doing SAST scans, making sure that libraries are always up to date, and so on. They showed me ‘nancy’, a tool like npm audit to check for outdated libraries if you use ‘golang’.
4. Recently I had a discussion about moving from one WAF provider to another and we had our final decision to do. The team approached me and honestly, I had no idea which way to go. So I asked: “What would you do?”. Silence followed in our Slack channel and it took one day until one team member came back to me. He thought a lot about the question and made a recommendation that I followed. Given the solution came from the team  I feel much more confident that we go the right way. And the team feels involved and appreciated, as they had the ultimate influence on how we proceed.

In a nutshell

Like a father encouraging his child, give your employees confidence to speak up and make their own experiences. This will have a very sustainable impact on how security is treated and built-in by design. Without any instruction.

What comes next?

I invite you to follow our blog series and to learn how TRUST, a DIFFERENT LANGUAGE and LESS CONTROL all come into play. I expect you will be inspired to sharpen your profile of a LEADER, ENABLER, CONSULTANT while staying the CISO who instructs and defines the minimum boundaries - well, the latter, sometimes at least.

Coming up next are several deep dives in which I will share core elements of the Agile/Modern CISO approach.

Following these, we will continue with a more technical part, the Security Automation or Shift Left approach for DevOps. In conclusion of the whole series, you will get a glimpse at our Zero Trust Architecture called BeyondCorp which we apply throughout our company.

I hope you enjoy this series and in the spirit of agile, I welcome your feedback and comments along the way, best on LinkedIn or via email.