About Cybersecurity Management and Expectations

A few days ago, I was contacted by a young person at the beginning of their career in infosec. Without sharing too many personal details, this person had started a new job and was having panic attacks due to very minor errors. After some discussion and questioning about their previous position, I uncovered a genuinely inept culture with a absent manager who should probably have been reported to HR.

For the past decade, I have listened to a number of stories from cybersecurity professionals about unbelievably hostile and abusive workplaces. More insidious to me, however, are the workplaces that “pass” as okay on paper yet are continually undermining, failing, and gaslighting their junior employees. Unfortunately, it’s often harder for junior people to judge that they are being done a disservice in those places than in cases of extreme abuse.

Gaslighting: Refers to the plot of the psychological thriller play and film ‘Gas Light’. An abusive tactic wherein a person or people cause an individual to question their reality and competency by covertly and relentlessly insisting their senses, judgement, and reality are impaired.

These chats (plus a multitude of management and leadership courses) have made me passionate about ensuring junior and young people I mentor understand what they should and should not expect from their management, and what it is reasonable for their management to expect from them.

Unfortunately, in cybersecurity, many individual contributors who were not trained or qualified to act as managers of humans have been pushed into management roles for various reasons. The skill set required to manage people and teams is totally different than blue teaming or red teaming. It is absolutely fine to be good at one of those things and not great at the others. Sadly, it is simply an unfortunate fact that there are currently some very bad managers out there in our field. I’m very concerned for them and for the people working for them.

Due to all of this, I have approached SANS about arranging a panel webinar on this topic. While we arrange this, I will summarize my brief thoughts on reasonable employee expectations of managers, employee responsibilities to their managers, and tactics for employees struggling in negative business environments.

Reasonable Expectations of Managers by Employees

There are few universal rules across global public and private organizations. Small businesses may have more difficulty providing employee resources than large ones. Legal and societal employment expectations vary by country. However, this brief list encapsulates some very simple things every cybersecurity manager must do to enable employee success. It is abnormal and concerning for a manager not to do them.

I will not be detailing other necessary management skills that are not immediately related to employee success (such as project management, finance, risk management, and intraorganizational communication).

At a minimum, I expect almost any competent manager to do the following things for their direct reports if they care about their success:

  • Provide clear and consistent performance feedback on a routine basis (annually at a bare minimum) on their performance, and have this feedback maintained in writing for future reference by the manager and employee. Transparency is key. For fairness, it’s obviously optimal to use a formal employee feedback system for this, but if that’s not possible, simply have a genuine conversation and take written notes. Beyond formal feedback, employees should consistently know where they stand, unless there is a genuine legal case underway which prevents this.

    Ask yourself: Have I sat down with every direct report this year and given them usable feedback in writing about what they are doing well, where they are falling short, and how they can improve? Do I follow up with them on their progress routinely?

  • Establish clear goal posts and measures of success. Set clear goals and expectations in writing for each employee, and clearly state what success and failure at those goals looks like. Include what is typically required for potential promotion, pay increase, or merit bonuses. Make sure each employee understands these goals and believes they are manageable expectations. Failure should never be a surprise, and should always be crystal clear in a paper trail.

    Ask yourself: Have I told every direct report what the company and I expect for them in their role and progression, how I will measure their success, and confirmed those goals are manageable with them?

  • Discuss short and long-term career and educational goals with each direct report. Managers should make a best effort to listen to and nurture employee goals, and then provide feedback and guidance. Simply not having the resources to provided a desired opportunity today is not an excuse to avoid having candid discussions with each direct report about what they would like to achieve, learn, and do. If you won’t get them on track to where they want to go, you will either part congenially as you guide them on their path, or you will part hostilely and lose your investment in them and some credibility.

    Ask yourself: Do I have a clear idea of what my direct reports want to accomplish in the next month, year, or five years? Have I given them constructive guidance on how to realistically accomplish this, or connected them to somebody who can help?

  • Recognize success as well as failure. A junior cybersecurity team is not the place to reserve feedback to negative reactions when something goes wrong. The point is to build successful cybersecurity professionals. In education, we have a term called a ‘praise sandwich’ or ‘praise-correct-praise’. Your employees should know when they are doing well as well as when they don’t meet expectations. If you forget, think of this model and try to say something positive twice for every one time you correct or reprimand them.

    Ask yourself: In what ways have I recognized success on my team in the past year, and have I done so fairly across all my direct reports?

  • Have empathy and put people first. Your direct reports are human, and each have their own backgrounds, level of neurodiversity, work-life balance, and learning styles. For example, you simply cannot ask a kinesthetic learner to be as successful at watching training videos as a visual or auditory learner. Your auditory learner might by stymied by being forced to read a book and do labs without any discussion. Listen to your employees. Within reason, you should make an effort to adapt your management style and their individual plans for success to their needs as humans.

    Ask yourself: For each one of my employees, can I state what style of learner they are, a way in which their background may uniquely impact their perspective and needs, and at least two facts about their work-life balance situation?

  • Shield junior employees from interdepartmental and corporate bureaucracy, infighting, and abuse. Your analyst made a minor mistake on a report? That is absolutely not the time to let the customer or CEO eviscerate her. You are the manager responsible for the employee and ultimately, Buckaroo, the buck stops with you. If your employee has habitual performance problems then that should be documented clearly in formal feedback, and any major issues should be taken to HR. It is also not the responsibility of your direct reports to figure out your budget shortfalls, staffing problems, or your new unpleasant CISO. Their job is cybersecurity.

    Ask yourself: Have I ever let an employee take the blame for something that was my responsibility, and how will I prevent this from happening in the future?

  • Identify and resolve team dynamic problems. A competent manager has a sufficient understanding of team dynamics to recognize common problems and their causes. I can’t stress studying multiple academic models like Adaptor-Innovator theory, the Tuckman model, the Belbin model, etc. None of them are perfect, but they can give you a framework to think about the personalities on your team. Regardless of how you build these skills, you should recognize what is causing interpersonal conflicts and be able to help resolve conflict.

    Ask yourself: Can I describe how each one of my employees likely fits into at least one credible team dynamic model? Do I actually understand what that means, and how it can impact how my team works together or does not work together? Do I have plans to build a stronger team?

  • Be decisive and make the hard calls. Being a good manager requires empathy, but also understanding that your first goal cannot be for everyone to like you. Your first responsibility is to your team, mission, and employee’s success. You have to make tough calls decisively and be the deciding vote and clear voice of reason when your team is struggling. Again, the buck stops with you, and you should not be in the role of manager if you can’t face that.

    Ask yourself: Have I ever not made a direct decision in a timely manner because it was difficult or I didn’t want to be disliked?

Reasonable Expectations of Employees by Managers

At the same time as I see failures from cybersecurity managers to their direct reports, I also see individual contributors not understanding their own responsibilities to themselves, their companies, or their managers. Employees also have personal responsibilities as professional working adults that exceed simply “knowing how to do infosec stuff”.

  • Develop your career goals. When you have the opportunity to have a career discussion with a manger, leader, or mentor, you should be able to clearly state some short term or long term goals for your work, career, and training. These people are not magical or telepathic, and can only guide and assist you. If you drift through your career without clear goals, it is totally unreasonable to blame your management for lack of progression or notable pay increases.

    Ask yourself: Can I roughly describe my 1 month, 1 year, and 5 year career and educational goals to another person? Have I made an effort to plan to reach those goals?

  • Advocate for your own success. If your manager is not fulfilling the basic expectations I laid out in the previous section, moping or complaining in back channels will accomplish nothing. You have a responsibility to first courteously and reasonably approach your manager and ask for needed things such as performance feedback. Some managers simply don’t know what they’re doing wrong. In many environments, it might be wise to go to another leader or mentor, then potentially even HR if you’re hitting a wall. This is not to say you’ll always be successful navigating a hostile workplace, but at that point you’ve done your due diligence.

    Ask yourself: When I’ve struggled with a manager or organization not fulfilling their responsibilities, have I ever approached them tactfully and politely and asked for what I need? Have used my “chain of command” and escalated problems appropriately? Alternatively, have I ever complained to colleagues and brought morale down simply because I didn’t make a reasonable effort to fix things?

  • Treat colleagues and managers with respect. If you are having a bad go of it in a poor work culture or manager, the best thing you can do is show solidarity with other people who are facing the same problems. Organize and provide a united front. Cybersecurity is a small community and taking out your frustrations on innocent people will almost always come back to haunt your future career. I’ve seen many a miserable employee abuse or gaslight their innocent peers in return, then get blacklisted.

    Ask yourself: Have I ever dealt with workplace abuse by abusing my colleagues, or maneuvering the abuse onto them? Do I ever consciously or unconsciously try to make junior people ‘suffer like I suffered’ as a rite of passage?

  • Meet the expectations provided by your leadership and manager, or provide clear and reasoned justification as soon as possible if you cannot. Once you have been given a set of goals and expectations in your role, it is your responsibility to tell your manager if they are not attainable for some reason. If you cannot meet their expectations, you should be able to provide clear and reasoned justification about why you couldn’t for their consideration. If you do not understand the expectations and measurements of success being set out for you, you should ask for clarification right away.

    Ask yourself: Have I ever gotten mad at a poor review or critical feedback, when I clearly did not objectively meet the goal? Have I ever set myself up for failure by not admitting I couldn’t meet a requirement or deadline from the start?

What to Do When Things Go Wrong

This is the section of the blog where people who have been truly abused by their workplaces and managers will likely yell at me. So here is some cold, hard reality:

  1. Some workplaces are irredeemably toxic. After making a reasonable effort, your only option to salvage your career, mental health, and physical well-being will be to quit. Sometimes quitting and leaving the toxic environment is the only healthy call, with a new job lined up or not. Give it serious consideration if you are suffering and the workplace is irreparable.
  2. Not everybody can just quit. Ageism, racism, transphobia, ableism, and sexism are alive and well in many hiring pipelines. There are genuine reasons why people who are uncertain about their ability to support themselves or their families feel like they have to stay in abusive workplaces. The rest of us need to watch out for those people and try to assist them as best as we can.
  3. HR isn’t always your best advocate, and going to HR is often a very carefully weighted decision. There are some workplaces so hostile and cliquish that a report to HR will simply mean being fired or abused further. However, going to HR or even bringing legal action against a company with abusive or hostile practices may be the only way to save other people employed there from the same fate. Seek guidance from mentors and trusted advisors about your options, and consider them carefully.

    But also,

  4. Not every workplace is toxic, and there are absolutely great managers out there. There is nothing that irritates me more in the infosec professional community than people who pour their nihilism and negativity onto junior people because they’ve personally had it rough. There are plenty of great employers and managers out there who do all the good things I mentioned and more. Stop gate keeping, and stop listening to the gate keepers. Most of us have had bad and good managers in our careers.
  5. Business and management are totally different skill sets from securing computers, but they are ones you can study and learn about. Consider taking basic management, speech, and business classes online or at your local community college. Seeing the inner workings of the game being played will give you a tremendous leg up in dealing with problems related to business culture and management.

Thanks as always for tuning in, and I hope to get this webinar rolling as soon as possible!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s