Home  /  About us  /  Newsroom  /  What makes a great (cyber) leader?

12 1 2016

What makes a great (cyber) leader?

Both you and your team were nominated for the prestigious SC Awards 2016 Europe. It is quite a compliment, were you surprised?

SC Magazine is probably the leading cyber security publication in the world, it represents all aspects of the cyber security spectrum and is relevant to all organizations, from Industry to governments and academia.

So to find out first of all that I'd been nominated for this [Chief Security/Information Security Officer] award was quite a shock, and a very pleasant shock.

It's quite an accolade, and clearly not just for myself not just for myself but it is also a validation that what we do in NATO is being recognized and is seen as being successful, and it is clearly important.

Then we were told a little bit later that the cyber security team had been nominated for an award as well, that was more important to me, because there are 200 people who are doing a great job – and it's not just the people in the cyber security service line, we are supported by a whole range of folks from other parts of the Agency.

So winning these awards was incredibly important not just for those of us involved but to NATO as a whole. It really is that significant because when I talk about the team, everything that we do is guided by the [NATO Member] Nations. And the Nations over the years have shown supreme commitment to cyber defence with lots of initiatives at every Summit. It is a very big NATO team.

The recognition is made all the more special because the Awards were judged not just by SC Magazine, there was a panel with 25 experts from academia, Industry and government organizations so it's a huge honour and a great privilege to be a part of it.

What does it take to be a great cyber leader?

There is a phrase: 'From server room to boardroom." And basically what this means is that you can be the best technician anywhere, but if you cannot explain to the boardroom why they need cyber security, then you are probably not going to be successful.

So the really important thing is engagement and communication with and across the whole organization to talk to our boardroom. It is really important to facilitate this interaction.

The other thing that we've learned is that nobody has the entire solution for cyber security, everybody has a piece of the jigsaw.

Of course, NATO has recognized this, you've got to work together, it's got to be a collective effort. That's why we work very closely with our Allies, our Partners, Industry and Academia, as well as the EU. Working together really does enhance our collective cyber defence.

By the way, in February 2016, we signed the first formal agreement between NATO and the EU for years. It was signed between the NATO Computer Incident Response Capability (NCIRC) which of course is part of the Agency, and the Computer Emergency Response Team – European Union (CERT-EU). There is a lot of commonality between the EU and NATO, particularly as we use similar technology and face the same cyber threats, so working together for the common goal is a win-win situation for us.

A cyber security leader must understand not just the importance of cyber security itself but how it should work within an organization and even globally.

Should every organization and company have a cyber security team then?

The worst thing you can do is just implement very expensive technology, and get very scarce and expensive skills without knowing why you are doing it and what you are trying to protect.

You've got to identify what is critical – the critical components of a company's network or an organization's computer systems, communications systems – and then place the most security on the most important parts of those.

Now every organization – whether it's governmental, commercial, academic – that depends upon its computer network must have some form of cyber protection. And clearly if it's a smaller company or if the dependency is say less than that of a bank, then they'd need less of a solution but focused on their 'crown jewels'.

But everybody, every organization that depends on its networks has to have cyber security embedded into it.

What advice would you give to young new leaders who may work in other areas than cyber security?

There is a simple leadership principle that I was taught when I was in the UK Royal Air Force and it's that true leadership is about finding the optimum between three components: the mission – 'getting the job done' - looking after the team, and looking after the individual.

If you imagine three overlapping circles, if you concentrate too much on the mission without looking after your people or creating a team, then they are probably not going to be able to complete that mission.

You've got to find the middle of these three overlapping circles and look after the team and the individuals to make sure that the mission gets done.

I am very lucky that I work with very special, skilled and dedicated teammates. We went from having a team of about 80 people to having a team of 200 people and I just about know everybody's name now. But it's not just about understanding what they do and knowing what their names are. You've got to know the people, you've got to know their capabilities, their shortfalls, their ambitions, their circumstances.

Now, obviously I work with some other great managers and it's just impossible for me to do all of that for 200 people. But it's an ethos of mine that we do look after our people. They are part of that triad if you like.

I am also lucky that our cyber security team is incredibly dedicated to the mission. Perhaps it is because it is very real. Every day, they are defending against real threats. They know that if they miss one attack, the effects to the Alliance's operations and business.