This is the first of a 7 part series where I’ll group together a set of prior posts into a particular theme that will make it all the more accessible. The 7 themes are:

1. Security Leadership Master Class 1 : Leveling up your leadership
   

2. Security Leadership Master Class 2 : Dealing with the board and other executives
   

3. Security Leadership Master Class 3 : Building a security program
   

4. Security Leadership Master Class 4 : Enhancing or refreshing a security program  

5. Security Leadership Master Class 5 : Getting hired and doing hiring
   

6. Security Leadership Master Class 6 : When disaster strikes
   

7. Security Leadership Master Class 7 : Contrarian takes

In this first post we’ll look at leadership. 

Leadership is vital, not just for the CISO or other executive security roles but at all levels in the organization. It’s something that can be learnt and developed over a career rather than only being an intrinsic quality that comes naturally to some and not others. There are many attributes security professionals need and over the years I’ve written about many of them in this blog but all of those can come to naught if there is a failure of leadership.

Leadership takes courage, it takes discipline and above all it takes relentless perseverance to keep at it in the face of setbacks and pressure. The essential attributes are:

• Act like a business executive, not an IT manager. A top security leader manages technology risk as the "CEO of the Security Program," taking full responsibility for resilience and measuring success in business outcomes. This requires understanding the company's strategy, revenue model, and culture to devise a winning risk management plan. This mindset shifts the focus from managing security tools to driving transformational business objectives.

• Develop and communicate a clear, generative strategy. Instead of just creating a list of projects or vendor purchases, effective leaders define a coherent strategy for winning against adversaries and building resilience. A good strategy is generative, inspiring other teams to act and making the entire organization safer by defining the "what" (e.g., a secure-by-design platform) and empowering others to manage the "how".

• Master business-oriented communication and influence. Communicate in the language of the business—risk, capital, and opportunity—rather than technical jargon or fear, uncertainty, and doubt. To influence change, be clear about your desired outcomes, understand the current situation, plan your approach like a campaign, and execute on your commitments to build credibility.

• Build scalable, self-reinforcing security systems (flywheels). Move beyond firefighting and constantly lurching from crisis to crisis. Design systems that scale security, make the secure path the easiest one, and reduce the unit cost of control. This involves shifting from an artisanal, reactive approach to an industrial-scale capability that anticipates and solves systemic risks.

• Prioritize ruthlessly and focus on leverage. You cannot achieve an "A-grade" on everything, so strategically determine what requires excellence versus what just needs to "pass". The highest-leverage areas for an A-grade are often platforms (like identity management and developer tooling), core processes (like the software development lifecycle), and cultural factors (like psychological safety).

• Take personal accountability for your career and actions. Manage your career as your own responsibility, seeking help but ultimately relying on your own attitude and grit. Run toward problems, reach for accountability, and take ownership to frame issues and suggest solutions rather than waiting for someone else to act.

• Actively engage in and contribute to the professional community. Your professional development requires self-reliance, so join relevant communities, volunteer, do the work to build a reputation, and eventually take on leadership roles. This builds a powerful network and can lead to higher-level opportunities on advisory boards or task forces.

• Proactively communicate successes and manage the narrative. Since security success is often invisible while failure is highly visible, you must continuously market your team's achievements. Frame your successes in a business context by showing incidents avoided, vulnerabilities fixed ahead of crises, and adjacent business benefits delivered. This builds support and completes the "flywheel of risk mitigation".

• Build and empower your team to be resilient without you. Great leaders develop future leaders, create leverage through federated models like BISOs or security champions, and build a function that can outlast them. Focus on balancing a team so that individual weaknesses are covered by the team's collective strengths. Avoid hoarding information or becoming a single point of failure.

• Manage executive and board expectations for the long term. Security improvements often make things look worse before they get better as enhanced monitoring uncovers more issues. Set this expectation with leadership from the start to secure their long-term commitment and avoid being replaced mid-transformation. Enable the board to govern effectively by teaching them what questions to ask, turning oversight into a strategic partnership.

Here’s a short video (thanks to NotebookLM) covering all of this.

Here are the top 10 posts that cover various leadership topics:

1. The characteristics of “good” CISO approaches and “bad” CISO approaches.
   

2. Career longevity and how to survive in the long run so your ideas can pay off.
   

3. The ideal CISO job description to focus on what matters the most.
   

4. What organizations need to do to produce great security leaders for the future.
   

5. The keys to career success - a leader's personal development program.
   

6. Where to focus your time and energy : A-grades vs. Pass/Fail.
   

7. The power of community - fast tracking your career and network.
   

8. Sustaining your energy, beating burn out, and work / life balance.
   

9. The art of influence - getting what you need at scale.
   

10. Never be silently awesome - how to communicate success.
    

11. And a bonus post for the security leaders reading list recommendations.