Management != Leadership

I suppose I’m going to figuratively fire some shots with this post, and I reckon that’s OK. I think this is something that needs to be talked about, because it genuinely concerns me. It concerns me because words have meaning, and when we don’t use them according to their meaning, we actively change the perception of those words. At this point, in the corporate world, “leader” flat-out doesn’t mean what it used to mean.

I’ve been doing this for a very long time at this point, and I’ve worked for countless managers, but I can count the number of leaders I’ve worked for on one hand with fingers to spare (and I have only the default number of fingers on each hand).

Leadership: The office or position of a leader; a capacity to lead; the act or an instance of leading.

Lead: go before in order to show the way or guide.

Manager: a person whose job is to manage something. Manage: to direct or be in charge of.

Now…we can clearly see a difference here, right? A manager gives orders. A leader may also give orders, but by definition must be an active participant in the task. It is impossible to lead from the rear. A leader is not a person who gives orders while not participating in an action. I’m an outdoorsman, so I’ll use that as an example. If I lead a hike, it does not mean that I tell you to go hiking. It means that I go hiking with you; I go before you, show you the way, and ensure that you follow.

So…can a person with excellent personnel management skills but no technical ability lead a security team? Absolutely not. They may be able to manage that team, but they can never lead it, because without the technical skills, they cannot be active participants in the team’s work.

The only way to lead is by example, and from the front. If you’re a manager who achieved your position through corporate-political machinations, manipulation, and backbiting, then you’ll be leading your team, not in their job, but in learning to undertake that very same process of political game-playing. Don’t ever be surprised if the people you’re supposed to be leading begin to emulate qualities you embody.

If you threw someone under the proverbial bus in order to achieve your position, don’t be surprised when you find yourself under that very same bus, courtesy of someone who was doing nothing more than emulating their “leadership.”

These are things well worth thinking about. As a leader, you need to be cognizant of the example you are setting. You must lead from the front. You must embody the qualities you wish to see from your employees. If you want to see hard working and diligent employees, you must show that you are hard working and diligent. If you want to see highly competent employees, you must be seen to be highly competent. You must inspire your employees through your actions, not simply through words.

A leader is also responsible for their team’s successes and its failures. If my employee hoses an investigation, it’s my fault. Full stop. It may be my fault because I failed to properly train the employee. It may be my fault because I failed to fire an employee who was not performing at the necessary level. It may be my fault because I modeled lazy behaviors, and the employee was emulating me. Whatever the reason, it is most assuredly my fault. Conversely, if my employee does an amazing job, it’s my success; maybe because I made smart hiring choice, or because I trained my employees well, or because I modeled diligence and work ethic in my own investigations. Either way, if I’m unwilling to take on this responsibility, that means I’m unquestionably not deserving of the position I hold. There is no “passing the buck.” It stops with me. That’s what a leader does.

Now, to clear up a few things: I’m not saying that a leader must be an expert in every facet of the job. The larger and more varied the team, the less that will even be possible. A CISO, for instance, cannot reasonably be expected to be an expert in architecture, engineering, compliance, operations, IR, threat intelligence, threat hunting, and project management. On the other hand, in order to be a leader and not simply a manager, they must have a basic working knowledge of each of these fields. Without that basic knowledge, how can a leader effectively employ the expertise at their disposal?

Let’s use a military example, because it makes things obvious. An infantry company commander will have riflemen, machine gunners, grenadiers, and mortarmen at their disposal, and potentially even some battalion-level assets like a sniper team. Can that commander effectively deploy those forces if he doesn’t understand how mortarmen do their jobs? If he doesn’t understand the capabilities of the sniper team? If he doesn’t know the differences between heavy and light machine guns? No. A leader who lacks this fundamental understanding will have his snipers engaged in close quarters combat, his riflemen attempting to engage targets at 1,000m, and his mortarmen dropping rounds on civilian targers.

Now, out here in the infosec world, things can seem less urgent. Nobody is going to get shot or blown up, after all…but please remember that our job exists for a reason. Even if we’re not “customer facing,” we have customers. Our customer is not the computer, the server, or the firewall. Our customer is the person whose PII we safeguard; our customer is the pensioner who will have to live on Alpo if her retirement fund tanks because we got breached. Our customer is a human, whose life can be effectively ruined if we fail to do our jobs properly.

So, with that in mind, my challenge to those in leadership roles is simple: evaluate whether you can extricate yourself from the political games. Evaluate whether you can be tactically and technically proficient at a level which allows you to effectively employ the assets at your disposal. Evaluate whether you can model the ethics your employees will need to emulate. If the answer to any one of these questions is “no,” then you need to step down from your position of authority. If the answer to all of these questions is “yes,” then you need to immediately execute.

It’s time for us all to step up and lead, not simply manage.

Article Link: Management != Leadership – It's Biebs the malware guy!!