Navigating Cybersecurity Leadership: Debunking Excuses and Embracing Change

In the cybersecurity world, leadership, ownership, and interdepartmental relationships often dictate success. On episode 91 of The New CISO podcast, Michael Meis, Associate CISO of the University of Kansas Health System shared his philosophies surrounding these factors, shedding light on the challenges and rewards in the field.

In this article:

• Cybersecurity: a journey from the military to the corporate world
• Mastering the maze: cybersecurity and internal politics
• The professional landscape: building relationships, understanding rules, and embracing corporate dynamics
• Excuses, excuses, excuses: debunking the roadblocks in the cybersecurity field
• From camouflage to corporate: transitioning from military service to a civilian career
• The evolving role of the CISO: from tech expert to business leader
• Conclusion

Cybersecurity: a journey from the military to the corporate world

Starting his career in the U.S. Army Signal Corps in 2008 as a Signal Systems Support Specialist, Michael transitioned from handling secure radio communications to providing computer support for his brigade and division. This foundational experience widened his technical expertise and offered an insight into the complexities of information security, establishing the groundwork for his cybersecurity career.

Mastering the maze: cybersecurity and internal politics

After his military service, Michael entered the world of government consulting, a tenure that provided a unique perspective on the labyrinth of cybersecurity bureaucracy. While this might sound daunting to some, Michael found it to be an engaging challenge. “The thing it set me up best for was to be able to operate through bureaucracy. And that sounds depressing in a way, but it was something I actually enjoyed: finding creative paths towards getting through red tape and navigating complex political environments,” he recalls.

The decade-long journey enabled Michael to appreciate the value of finding innovative solutions within the rigid frameworks of cybersecurity policies and regulations. His approach pivoted on the concept of forward momentum — “being able to find the path forward when, at first glance, it may not seem like there is a path.”

Moving beyond the technical aspects of cybersecurity, Michael’s leadership philosophy recognizes the complexity of internal company politics and bureaucracy. He believes that dealing with these internal dynamics can be just as formidable as combating external cyberthreats.

His stint in government consulting honed these skills in this regard, transforming him into an adept navigator within the organizational landscape. His talent for discovering innovative solutions amidst bureaucratic constraints, though seemingly grim, has proved to be an indispensable skill in a cybersecurity leadership toolkit.

The professional landscape: building relationships, understanding rules, and embracing corporate dynamics

When asked about the fundamental skills needed for successful navigation of the corporate landscape, Michael identified three significant aspects:

1. Fostering relationships — Michael asserts the importance of cultivating relationships, particularly with departments you might not interact with daily, such as finance, compliance, marketing, and HR. Maintaining strong connections across different teams can significantly streamline processes within an organization.
2. Mastering the rules — Michael recommends becoming well acquainted with the organization’s rules and regulations. By immersing oneself in corporate policies and procedures, one can identify areas of flexibility, even potentially finding ways to strategically bend certain rules.
3. Embracing corporate dynamics — Michael urges a rethink of the concept of “corporate politics.” Instead, he encourages viewing it simply as the organization’s modus operandi. Adopting this perspective can transform what may appear to be a burdensome hurdle into an exciting challenge to be conquered, or a valuable tool for effective problem solving.

Excuses, excuses, excuses: debunking the roadblocks in the cybersecurity field

Among the most frequently voiced challenges in the cybersecurity industry is headcount. Many cybersecurity leaders express frustration due to limited personnel, but Steve suggests that this is often used as an excuse for ineffectiveness, arguing that true leadership shines when one can operate within the given constraints, rather than bemoan them.

Limited budget is another common grievance. Yet, Steve shares a personal anecdote, highlighting how he reached peak creativity when faced with financial limitations. He underscores that a bit of ingenuity can facilitate significant accomplishments, even without a hefty budget. Michael echoes this sentiment, recounting how he once had to build a department-level security organization under severe financial and personnel constraints. They had to get creative, turning to open-source solutions and using whatever resources they had available. 

A third excuse shared by Michael is the avoidance of tasks pending formal training. While he champions the importance of training, he also sees the immense value in individuals taking personal responsibility to figure things out until formal training becomes available. This self-driven approach can open doors to significant learning opportunities.

Michael further expresses his disappointment about individuals allowing their professional development to be solely dictated by employers. He advocates that employees allocate a portion of their own income to a personal training fund. This enables them to take control of their professional growth, selecting courses they find most important without needing approval from their employers.

In agreement with this, Steve recalls how his own investment in costly training not only surprised his colleagues and company, but also left a strong impression about his dedication to his career. Such self-investment displays one’s commitment to personal growth, an essential ingredient in the recipe for cybersecurity career success.

From camouflage to corporate: transitioning from military service to a civilian career

Transitioning from the strict hierarchy and command-and-control leadership of the military to the more collaborative and selfless leadership style found in the corporate world can present considerable challenges. Steve recognizes that, in the past, veterans were “pigeonholed into specific duties on the civilian side.” But today, a military background often equates to leadership potential.

Michael attributes this shift to several key factors, including the military’s ingrained mission-oriented mindset, proven crisis management skills, and the implementation of support structures to aid veterans in their transition to civilian roles.

This mission-focused mindset, according to Steve, translates remarkably well to crisis situations in the civilian sector. He highlights instances where individuals with military backgrounds didn’t hesitate to take the reins when chaos ensued. This ability to swiftly respond and manage crises has contributed to a notable increase in veterans occupying senior roles over the past two decades.

Michael agrees, noting the importance of military personnel transitioning to civilian roles to shed the belief that their worth lies exclusively in their rank or within a prescribed set of instructions. He advocates for embracing creativity, while still maintaining the military’s mission-oriented focus. The fusion of these two aspects, Michael believes, allows the positive behaviors and skills cultivated during military service to significantly benefit veterans’ long-term civilian careers.

The evolving role of the CISO: from tech expert to business leader

Michael emphasizes the significant evolution of the CISO role from a predominantly technical or security position to a business executive role. He stresses that it’s crucial for “CISOs to recognize that they are no longer just security practitioners.” Instead, their focus should now align more closely with business executives, dedicating their primary attention towards empowering the security organization within the wider business framework.

As the cybersecurity field continues to mature and change, Michael anticipates a growing number of CISOs will recognize and accept this updated interpretation of their role. He also advises that they must “let go of a lot of the past expectations of what a CISO actually is,” making way for a new era of cybersecurity leadership.

Conclusion

In this conversation, Michael and Steve explored the multifaceted challenges of cybersecurity leadership, along with the dynamic shift in perspective required for the evolving role of a CISO. Success in the field isn’t just about technical proficiency, but also about navigating complex corporate dynamics, leveraging resources even in the face of constraints, and nurturing interdepartmental relationships.

Both Michael and Steve stress the importance of continuous learning and personal investment in one’s professional development, demonstrating a commitment that sets a powerful example for the cybersecurity community. Their insights serve as a reminder that adaptability, creativity, and an ability to embrace change are integral to leadership.

For a deeper dive into Michael’s insights and experiences, listen to the full episode or read the transcript.