Experimental Feature: Audio Read Version
In comparing the career pathways of civilian and military cyber leaders what can we learn from both perspectives?
BLUF: As the information and communication technologies (ICT) used today by militaries are largely civilian, the cyber-security defence of these environments should be led by experienced civilian experts. However, the weaponisation of these same technologies that provide an offensive capability for Defence should be led by experienced military experts responsible for leading the cyber battle. Traditional leadership and management skills alone, without technical proficiency, will not inspire cyber professionals. The demarcation of complementary skills, techniques, and balance between the military and civilian realms need to be decided and agreed.
‘Leadership is important: Great leaders attract, develop, and inspire great people. Great people build, support, and protect great organisations.’
The commoditisation of technology, the growth of the cloud and the widespread use of networks has resulted in modern military ICT environments being virtually identical to those of civilian organisations. Both environments have for some time been deploying the same advanced ICT infrastructures, using similar ICT processes. They have also been developing/inspiring the next generation of cybersecurity professionals using the same talent development philosophies.
Given these similarities, it is surprising that the cyber leadership in the commercial and military organisations have navigated their way into these roles from completely different perspectives. Individuals from different backgrounds, following different career paths end up leading virtually the same types of people, using the same toolsets, and executing many of the same type of tasks.
With the demarcation between civilian and military cyber defence now undefinable, what are the leadership competencies that make both a good civilian cyber leader and military cybersecurity officer – those who will be leading the cyber battle? Comparing and contrasting these competencies, experiences and career pathways will allow us to learn lessons from both worlds. It can guide us on how to dominate not just the cyber battlespace, but also in the relentless battle to acquire, develop and retain the next generation of cyber talent.
The global cyber battlefield
Today’s global commerce is so competitive to the point that it is becoming brutally acrimonious; data theft, malicious software attacks, hacking and the myriad of creative cybercrime capabilities now being supplied as a service would indicate there is now little difference between state and non-state cyber activities. The boundaries between cybercrime, cyber-terrorism, and cyber-warfare are indistinguishable. The prevalence of cyber-attacks, disinformation and deep fakes are now the default battle plan for an all-encompassing global cyberwar that arbitrarily attacks civilian and military domains in equal measure.
Most civilian cyber leaders in the commercial battlespace tend to have had a formal, usually technical education, maybe even a master’s degree. This is followed by at least 20 years of rising through the technical ranks of software, networks and/or infrastructure to develop a breadth of technical security, insight, and knowledge. Their technical expertise and professional competence will be solid, but they are rarely renowned for being natural leaders of people and may have minimal leadership experience.
Their military equivalent will have a good general education, and then via military development pathways or direct entry, will have attended a military college for several years. They will then spend 20+ years rising through the military ranks of Troop, Squadron, even Brigade command roles interspersed with several ‘staff’ roles in formations aligned to their career stream. For those selected, a roulement into a cybersecurity leadership role is designed to challenge, adapt, and apply this extensive warfighting leadership experience to prepare them for leading the cyber battle. Their staff will usually be an eclectic assortment of specialist military and civilian experts working in an extraordinarily complex, dynamic, and fraught environment.
Cyber leadership themes
From a synthesis of contemporary literature and interviews with cybersecurity professionals, the following three themes emerged on what makes a good cyber leader:
Technically proficient: Firstly, cybersecurity leaders must be technically proficient before they can hold any level of credibility, both with their direct reports and employers. Technical competence was found to be an equal part of the duality of the cyber leader. This increasingly demands to be tempered with business acumen. If a cybersecurity leader is too narrowly focused on technology you can end up with an individual will all the certifications and patter but who will not be able to manage the broader spectrum of business risk and opportunity. Those charged with leading the cyber battle must look beyond technology – being a technical leader isn’t enough; a myriad of other soft skills and business competencies are also required.
Domain experience: Secondly, they must have sector experience in the application of cybersecurity across one or more fields, as well as a sufficiently broad awareness of wider organisational objectives and needs. This experience across an operational domain is what buys credibility with senior executives, boards, and senior commanders. They need to have demonstrated value beyond information security. These hard metrics of competency will depend on the specific technologies, past experiences, and environments in which the leader has previously worked.
Inspiring individual: The third theme is the most difficult to identify – what is the ‘secret sauce‘ needed to make an inspiring leader, that special ‘X-Factor’? These ‘soft’ competencies could be even domain/task specific but these leaders will need to have particular abilities in removing roadblocks, inspiring confidence, and generating enthusiasm. They need to manage their stakeholders juggling the needs of their followers, suppliers, customers, as well as senior management. This is where the duality of the role becomes difficult, being both a technical specialist and an executive strategist; and then being able to handle the resultant tension and quandaries.
Leadership competencies of cyber leaders
The conclusions of the research suggest effective cyber leaders exhibit strong traits in five major leadership competency groups:
High ethical standards and providing a safe environment
Sincerity, trustworthiness, being of good character and high moral standards were seen as fundamental competencies. Having high ethical standards was a common trait in all leaders in all cultures.
Promoting connection and belonging among employees
Camaraderie, an ‘esprit du corps’ and rallying around a clear, achievable mission was seen as a strong inspiration to followers. A focus on shared values, objectives and a ‘sense of purpose’ was a powerful driver invariably found in younger dynamic tech start-ups but less noticeable in old-fashioned bureaucratic and ossified monoliths. But a formula for motivating, inspiring and developing strong cyber security cultures is an enigma that both military and commercial organisations have yet to master.
Committed to the professional and intellectual growth of followers
Leaders develop leaders. All of the research emphasised training and development. But in civilian organisations, these tended to be more functional technical training courses, especially as a checklist to attain competency levels in skills frameworks. Traditional methods of education, courses and awareness training failed to inspire workforces. The military espoused a wider more holistic view of development focusing on a richer domain ethos, focus on culture and the general advancement of followers.
Empowering individuals to self-organise
Whilst command, control and direction were considered military traits, trusting employees to organise their own time and productivity was stymied in overly controlled environments. Whilst younger employees wanted and needed to come into a physical work environment for learning, social and camaraderie, older people with children and other commitments did not. Embracing a remote working culture or a gig worker construct was something that military leaders regarded as challenging, even anarchic but isn’t this something that those responsible for leading the cyber battle should be comfortable with?
Open to new ideas and experimentation
Both the military and larger corporations had a more conservative view on experimenting, development, and innovation. References to ‘public money’ or ‘shareholder dividends’ were used as a challenge/restraint on new ideas, with anecdotes about ‘zero defect’ requirements and the dire consequences of failure being used to curb risk-takers. Rigid organisational cultures promoted the short-sighted rejection of innovative new technologies which jeopardised order, discipline, morale, cohesion, and entrenched organisational interests. Smaller companies and energetic young military officers were however a lot keener to seek opportunities with less apprehension about risk and failure.
Turning great cyber-engineers into adequate cyber-leaders is something to be wary of and military cyber leadership is no different. Whilst a broad base of experience and leadership skills often counts far more than technical know-how, leaders that lack confidence in themselves will fail to inspire others. Leaders that fail to gain the respect of their followers will not be properly coordinated to protect their organisations as more technically adept adversaries run circles around them. Consequently, a lack of technical literacy and failure to understand the work domain begets inefficiencies, ineffectiveness, and futility.
Conclusions and recommendations
Managing cybersecurity is no longer a technical back-office admin function, but a critical people leadership role, soon to be a mandatory position on corporate boards. Rapidly evolving organisations, and the military will wish to put themselves into this category, will need capable leaders who can communicate, inspire teams, successfully navigate their organisations, and enable the delivery of business objectives. These leaders must be selected, developed, and provided with a nurturing career pathway that invests in training, coaching and their development into senior business talent.
Great leaders will need to attract, develop, and inspire great people. Great people will then need to build, support, and protect great organisations. Getting this right; is a collective civilian and military imperative; each needs to nurture the competencies and attributes described above if they are to win the battle of talent, before any victory can be declared on the cyber battlefield.
This article is a synopsis of an academic research study just published in the Royal Signals Journal (Vol 41, Issue 2, Winter 2022). https://royalsignals.org/royal-signals/wire-and-journal
Martin Crilly is the Chief Architect & Engineering Authority to BAE Systems in the Middle East, and a Reserve Signals Officer. His background is in contempary ICT architecture, technology strategy, cyber-security, J2 and J6 with previous roles in BFC, ISS Ops Plans, GOSCC, DE&S Maritime and others. For more information and articles on Virtual War and similar topics, ‘follow’ him on Defence Connect.