Jamie Collier is currently studying for a DPhil in Cyber Security at St Cross College, Oxford. He was a member of the 2017-2018 Global Leadership Initiative.
Issues of leadership are rarely considered or dealt with in a serious way in the context of cyber security. Technological problems are met with technological solutions in a way that often trumps consideration of interpersonal relationships, character and leadership. In many ways this makes sense – we want people with real technical expertise to be at the forefront of the industry, and we need to allow them to focus on the application of their skills to the task at hand. Yet it also means that important questions relating to leadership can easily remain unaddressed.
It is becoming increasingly evident that this deficit cannot continue. Whether it be cyber security vendors, social media organizations, or phone manufacturers, technology firms are being flooded with ethical challenges previously outside their purview. Recent discussions concerning Facebook’s use of personal data, ethical questions over artificial intelligence, and the way cyber security firms decide to release information, illustrate the complexity of the challenges ahead. Finding solutions to these problems is no easy task, but they do highlight one thing: the need for leaders in these contexts to start engaging more deeply with the virtues and values that lie behind technological decisions.
What are these virtues?
Whether it be patience, temperance, courage or honesty, there are a variety of traits that we might associate with what it means to be a good, wise and ethical leader. Yet we also recognise that context matters. Specific virtues are prized in particular industries and circumstances. Honesty and truthfulness are essential in the sciences, where the fabrication of data threatens to undermine genuine progress. Integrity is vital in public service, where the proper functions of government can be swiftly undermined by corruption and bribery. Medics commit to compassion in swearing the Hippocratic Oath. And we rightly expect judges to be fair-minded and consistent. But how about cyber security? What virtues are central to an ethical and constructive way forward?
I want to highlight two—humility and honesty—and add to them by underlining the importance of exemplars who will serve as mentors to a new generation.
Cyber security is multidimensional, requiring new software and code as well as policy and regulation. Challenges range from dissecting malware to understanding the psychology behind people choosing bad passwords. Even more significant than the breadth of challenges, however, is the way that they overlap. Policy solutions that fail to take account of technical realities inevitably fall short; technical teams that fail to consider the often profoundly geopolitical dimension of their work will find themselves exposed. Rather than a multidisciplinary approach, where different pockets of expertise work on their own areas of the cyber security challenge, an interdisciplinary approach, where these different communities work on solutions together, is urgently needed. Leaders with humility, who are appropriately aware of the extent of their knowledge and skill, who appreciate that their perspective is limited, and who actively acknowledge the contribution of others, can help to pave the way.
Cyber security challenges have too long been examined in isolation. Rather than cross-community collaboration, quite separate silos of thought and expertise have emerged. The issue is often exacerbated by dysfunctional relationships between different groups. Policy communities might dismiss the political commentary that comes from those more technically focused as hopelessly naive of the realities of the international political system. Likewise, technical teams regularly dismiss policy proposals for not considering how they would operate in practice.
The fractured nature of the cyber security industry is hugely counterproductive since cyber security is too diverse a challenge for any individual or group to have all the answers. The virtue of humility can play an important part in cultivating better relationships between the various pockets of the industry. If someone has misunderstood one area of the topic where they are less familiar, it is rarely useful for those with such insight to call them out or humiliate them, as happens too often at the moment. This kind of behaviour discourages people from engaging with other communities in the first place. It reinforces the fractured nature of the broader community. By contrast, cultivating the virtue of humility should move us to a mentality of mutual learning and healthy collaboration. The different silos of expertise have so much to teach and learn from each other. Humility helps us to focus not on where others fall short, but on where they can teach us. Humility helps us to move from destructive relationships to an altogether more constructive dialogue.
The central focus on preventing attacks inevitably places fear at the heart of the cyber security industry, with those involved having an incentive to assert their importance by inflating the extent of the threat. Almost inevitably, fear-based sales are prevalent. This is not to say that cyber threats are not alive and very real, but that business-minded vendors can secure additional business by exaggerating the frequency and severity of incidents. This dynamic is not restricted to cyber security, of course, but untruth and exaggeration seem to come easily when the technical barriers to understanding aspects of the topic place one side in a privileged position of knowledge.
The problem with such economy with the truth is the breakdown of trust that follows in its wake. And once we lose trust in security, we all lose. Honesty is complex, of course, but it is nonetheless an important leadership virtue. In fact, some of the most respected and successful organisations in the industry are those that cut through the hype and dispel myths. Threat inflation might offer short-term rewards but is ultimately unsustainable. With so much disinformation and misunderstanding around cyber security, there is now an opportunity for firms to stand out by offering sober, well-considered and honest advice.
If humility and honesty are important virtues of leaders in cyber security, one way they can be cultivated is by the appropriate imitation of exemplars. This is where mentorship comes in, and it is much needed.
Today, cyber security remains an industry in its youth, with its place in society yet to be fully determined and career pathways yet to be fully established. The lack of apprenticeships or graduate schemes means that many people have stumbled into the industry, often discovering it by happenstance. It also means that the industry disproportionally rewards those that are already well networked, or who take a leap of faith, getting in touch with people out of the blue. Whilst rewarding the initiative and confidence of those that make the often uncertain jump into the industry is not necessarily a bad thing, there is a great deal of untapped potential when it comes to recruitment. With it estimated that women represent only 11% of the global cyber security workforce, the industry urgently needs to do better.
Employers need to do more to identify and cultivate talent and skills. Many organisations are willing to hire those with prior experience, yet do not do enough in offering first-time jobs and investing in bringing people through. There are, however, some positive signs: more firms are now offering entry-level roles, and job adverts are increasingly appealing to a broader demographic, including those from the social sciences and humanities, for example. The National Cyber Security Centre – the main cyber security organisation of the UK Government – also deserves immense credit for its CyberFirst initiative designed to get more teenage girls interested in cyber security. But despite encouraging pockets of progress, there remains much to be done in bringing through the next generation.
As well as cultivating virtues like humility and honesty, those who aspire to leadership in cyber security would do well to invest in mentoring—learning themselves from the many good examples of those who have gone before, and investing their time and energy for the sake of those who will come after.