Every time I interview a candidate, I ask, “Who is your role model in cybersecurity?”
Some candidates name famous hackers, like Kevin Mitnick. Others choose well-known journalists like Brian Krebs or a prolific writers like Bruce Schnier. One candidate said their role model was Neo from the Matrix movies.
There isn’t any right answer to this question except maybe “I don’t look up to anyone.” The examples I listed above are ok responses, but they aren’t great answers. Why? If you’re working in corporate security, your role model should be someone you aspire to be like. A famous, or infamous, hacker might not be the best choice. At least not one you should mention in an interview. The trouble is there aren’t many well-known examples of those.
Compare these answers to a businessperson’s heroes: Jack Walsh or Henry Ford, Warren Buffet or Stephen Covey. This highlights a stark difference between the security industry and other industries: there are very few examples of leaders who are widely known and recognized throughout the security community.
One issue is communication. The work that great security leaders perform isn’t just not talked about; it’s kept secret. Every day brings new examples of great leaders who prevent their businesses from being hacked, but those examples are hidden from the business community. We don’t want to talk about our defenses because then the bad guys will know how to circumvent them.
While this is a very logical position, it creates a cycle of secrecy. If stories aren’t shared, lessons aren’t learned. If lessons aren’t learned, each generation of security leaders has to figure out how to be great on their own. Rather than getting the head start built by generational knowledge there is a vacuum, and that vacuum is being filled by glamorous Hollywood hacker anti-heroes instead of inspiring visionaries.
The good news is that some candidates that I’ve interviewed have said that their role model is a former boss. I take this to mean that there are great leaders out there. I’ve had the privilege of hiring and working with a few of these people. Universally, these are the team members that people outside my team look forward to working with, that other employees call first for help, and they put the company first and themselves second. In other words, these are the people that will be leaders in their own right one day.
There are some groups that do recognize great security leadership, and we should do more to celebrate our successes. The Security Advisor Alliance has several leadership awards that they announce every year at their annual conference. Similarly CSO Magazine has their top 50 Cybersecurity Leaders. Many industries have already implemented information-sharing groups, called Information Security Advisory Councils, and there is real collaboration and cooperation between companies that might normally be competitors.
Our stories need to be told so that future generations of security have the right role models to look up to. Or at least so they’re prepared for my interview questions.