We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Dawn-Marie Hutchinson: Cybersecurity Leadership: Powering the Modern Organization (2015) by Mansur Hasib
Dr. Mansur Hasib brings an executive MBA to technology professionals in one book in Cybersecurity Leadership: Powering the Modern Organization. It is a significant reference book for leadership in any organization; however, it specifically addresses the challenges unique to technology and cybersecurity. The book provides a business-level understanding of cybersecurity and critical leadership principles for interdisciplinary organizational leaders and technology professionals.
The singular focus of the book is leadership. It is important to understand that the author does not intend this book to be a prescriptive technical security reference guide. It is not a commentary on cybersecurity activities, such as implementing controls, developing a security strategy, or managing threats. It is a leadership education for technology professionals and includes guidance on executive decision-making, organizational structure, and the key qualities, behaviors and principles of effective leaders. The author states, “If you make cybersecurity all about technology, you will fail every time. Without leadership, engagement of people and perpetual innovation you never have a chance at cybersecurity” – and that statement is the best description of the text.
To make the Cybersecurity Canon candidate list, the book must be essential to the cybersecurity practitioner. As a cybersecurity leader, I found this to be a must read and a healthy refresher on executive management with decisive Jesuit leadership influence. Similarly, for technologists and cybersecurity practitioners, it is a must read for understanding how to work with and for strong leaders. The book not only details the necessary qualities of a security leader but, by proxy, it explores all the ways the technologists and practitioners contribute to the efficacy of the security strategy.
Cybersecurity Leadership: Powering the Modern Organization is structured in essentially two parts: the earlier parts of the book focus on leadership principles, organizational structure and human governance. The latter portion of the book delves into industry and technology-specific leadership nuances. The author presents the concepts in a layered manner and builds on each as you move through the text. Hasib includes detailed historical leadership examples and relatable personal experiences as an experienced chief information officer to reinforce the concepts.
The most powerful portions of the book hone in on what is arguably the most difficult concept to master in leadership: building an effective team. Hasib reminds us that the effectiveness of a security program does not hinge on technical controls, rather it is the marriage of smart, daring people with different skills, experiences and perspectives striving to build business-aligned processes. Further, he explains that in order for people to be effective, the leader must select the best talent, establish trusting relationships, and build conflict-competent teams. It is out of conflict, Hasib reminds us, where “dumb ideas” are fleshed out, debated and improved. Allowing teams to discuss and debate ideas facilitates the cohesiveness and effectiveness of the team. Hasib describes what I will call an “entrepreneurial approach” to solving cybersecurity challenges by encouraging team behaviors that reflect the innovative, creative and driven characteristics of entrepreneurial teams. There are several chapters on building the team, and I found them to be extremely valuable and progressive methods for not only creating a highly efficient team but executing the security strategy.
I think one of the most encouraging and relatable portions of the book is Hasib’s discussion on finding, negotiating and onboarding both as a hiring manager and as an employee. He details both the right and wrong ways to negotiate salaries, including the commonly experienced hostage takeover – the age-old practice of getting a new offer, giving notice, and attempting to negotiate a new salary. Hasib spends several chapters relating to the morality and trust as a leader and team member. He calls this practice of hostage takeover a behavior not befitting a position requiring a high degree of integrity and trust.
There were some topics in and around organizational structure that I found fascinating. Having only ever worked in organizations where the security organization reports to the chief information officer (CIO), I have encountered some very challenging working conditions and taken that to be one of the areas that I spend a considerable amount of time researching. It was interesting for me to read about the different organizational structures, including the security organization reporting to the chief financial officer (CFO). This is a debate worth following, and the portions of this book that addresses alternate reporting structures will be important considerations over time.
If I had a criticism of the book, it would be that the experiences provided for each topic were one-dimensional. For each leadership topic, Hasib provided his own personal accomplishments and leadership accolades that began to feel haughty as I moved through the text. Insights from external and internal leaders across business, operations and technology would enrich this text tremendously. I would like to see others emphasizing “doing-the-doable” and navigating how to avoid the purchasing pitfalls of leadership and focus on building teams. I think Hasib brings tremendous insight here, but he left me wanting more.
Facing dramatically increased risk, resource scarcity, and newfound executive focus, many security leaders find themselves exposed to a much wider array of professionals, different terminology, techniques, motivations and concerns. Overall, I found Cybersecurity Leadership: Powering the Modern Organization to be tremendously valuable for those leaders who are trying to take their careers or programs to the next level – from operational or tactical to strategic. Learning to let go of the keyboard is a challenge for many technology professionals and, if not overcome, eventually inhibits their career growth. This book can provide those individuals with the tools to empower and trust their teams and ultimately drive innovation and power the business.
This is a Cybersecurity Canon nominee for its ability to communicate necessary leadership skills and apply them to the ever-changing world of cybersecurity. As security technologists evolve into business leaders, they will increasingly need an education in business and leadership, and I believe this book to be invaluable to that learning.