Read Time: 7 minutes

Hello! As we navigate this week I’d like to reflect on our leadership styles and how we adapt them to meet the challenges in front of us. In this week's edition of Vulnerable U, we're exploring:

• Shepherd vs. Engineer: Two leadership styles in Infosec.

• Nurturing Growth: How the Shepherd Leader fosters trust and innovation.

• Technical Mastery: The role of the Engineer Leader in building robust security systems.

Have feedback for us? Just hit reply — we'd love to hear from you!

Lets get vulnerable

Topic of the Week:

I recently stumbled upon a thought-provoking video featuring psychologist Dr. Russell Barkley, in which he discusses the roles of a parent in their child’s life. Barkley suggests that parents act more as shepherds than engineers, guiding, nurturing, and creating safe environments for their children to develop and grow, rather than controlling every aspect of their lives.

This concept got me thinking about leadership in technology organizations, particularly in the realm of infosec. As leaders, it's crucial to recognize when to shift between the roles of shepherd and engineer.

🎯 When should we focus on nurturing and guiding our team members, and when is it more appropriate to concentrate on building systems, introducing technology, or altering processes?

🌟 The Shepherd Leader in Infosec 🌟

In the context of information security, a shepherd leader focuses on guiding, nurturing, and providing a safe environment for their team members to learn and grow. They create a supportive atmosphere where team members can comfortably ask questions, take risks, and share their ideas. A shepherd leader recognizes that their team's growth is just as important as the technical success of their projects.

🌱 I like this approach as my default mode. Hire excellent people, provide them room to grow and aircover from politics, let them execute. The shepherd acts as a relationship builder across and within the organization, making it easier for the team to get things done and be recognized for their achievements.

🤞 By fostering trust, a shepherd leader encourages collaboration, leading to more effective problem-solving and innovative solutions. They also promote a culture of continuous learning and improvement, driving adaptability.

Notable examples of shepherd leadership in the infosec community include CISOs who prioritize mentoring and developing talent within their organizations, or team leads who advocate for healthy work-life balance and mental well-being among their team members.

💡 The Engineer Leader in Infosec 💡

An engineer leader in information security has a keen focus on designing, implementing, and optimizing security systems and processes. They boast strong technical expertise, precision, and attention to detail, ensuring their team's work meets the highest standards in terms of quality, efficiency, and security.

🧰 Think of the engineer leader as your Swiss Army knife—useful as needed, but kept in your pocket otherwise. If your team is stuck and needs a strong leader to make decisions, implement systems, procure tools, or hire help, an engineer leader can step in and get things moving. However, it's crucial to recognize when your involvement might be counterproductive or undermine your team's trust.

🏫 Engineer leaders must stay current on industry trends, emerging threats, and new technologies to effectively guide their teams through cybersecurity challenges. Success in this role requires data-driven decision-making and the ability to implement innovative solutions.

You'll find successful engineer leaders in various roles within the cybersecurity field, such as leading research teams in developing cutting-edge security tools, spearheading incident response teams to tackle sophisticated cyber threats, or overseeing the design and implementation of robust security frameworks in large organizations. By blending technical acumen with strategic vision, engineer leaders play a vital role in strengthening their organizations' security posture.

⚖️ Balancing Shepherding and Engineering ⚖️

The key to effective leadership in the cybersecurity landscape is finding the right balance between shepherding and engineering approaches. Understanding when to adopt a nurturing, guiding role and when to take on a more technical, problem-solving mindset is crucial.

Here are some strategies to help you strike the right balance between these two leadership styles:

1️⃣ Regularly assess team dynamics: Keep a close eye on your team's needs and strengths, and adjust your leadership style accordingly. If your team requires more guidance and support, adopt a shepherd approach; if they're stuck or need to focus on solving complex technical problems, lean into your engineering expertise.

2️⃣ Stay current on industry trends: Keep up with the latest in cybersecurity to adapt your leadership approach for addressing emerging threats and capitalizing on new opportunities. Staying informed will enable you to provide both strategic direction and technical guidance when needed.

3️⃣ Foster open communication: Cultivate a culture of open dialogue within your team, where team members feel comfortable discussing concerns, sharing ideas, and asking for help. This will help you better understand their needs and adapt your leadership style to provide appropriate support and guidance.

4️⃣ Embrace vulnerability: Be open to acknowledging your own limitations and areas for growth. Not only will this help you become a more adaptable leader, but it will also encourage your team members to embrace vulnerability and continuous learning.

By understanding when to guide and nurture your team and when to roll your sleeves up and be the engineer, you can really up-level your leadership IQ. Be vulnerable, reflect on your own leadership style. Which way do you think you lean today? Adapt as needed to become a more effective and resilient leader.

🚀 Go forth and be awesome.

Elective Reading

Here are some things I’m reading right now and some cliff notes or thoughts:

Dozens of highly classified documents have been leaked online, revealing sensitive information intended for senior military and intelligence leaders.

Really just stellar following this story and how the reporters took background clues from the leaker’s house where he took the photos in order to identify him. Incredible journalism on this one.

• WhatsApp has launched a new cryptographic security feature to automatically verify a secured connection based on key transparency.

Check out this thread from Matthew Green on why this is so cool:

Interesting technique to watch out for.

"An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update," reads the fake Chrome error message.

“The latest zero-day warning headlines a busy Patch Tuesday that includes fixes for at least 98 documented vulnerabilities across the Windows ecosystem. It comes exactly a month after Redmond confirmed a major no-interaction Outlook vulnerability exploited by Russian hackers since at least April 2022.

So far this year, there have been at least 19 in-the-wild zero-day attacks. Security defects in code from Microsoft feature in about one-third of all observed exploitation in 2023.”

A few folks I respect have been knee deep in some new SAST tools such as CodeQL and Semgrep. They’re super powerful when wielded with the right engineer behind them.

Here is the latest write up I’ve seen about the two and every time I see one I learn something new about them.

Pretty massive ransomware campaign that is out there being super successful right now using a vuln in the GoAnywhere software.

“The U.S. Cybersecurity and Infrastructure Security Agency and other federal agencies have urged all GoAnywhere MFT users to immediately upgrade their software or use workarounds to mitigate the vulnerability”

The kubernetes security 🐐 and KSOC Founder Jimmy Mesta wrote up a few of the latest Kube CVEs that dropped.

“Dan Goodin reports over on Mastodon that FBI Denver warning about so-called juice jacking was not based on any new cases, but rather just a chain of previous news articles. All of which themselves had no solid basis.” - @arekfurt on Twitter

This juice jacking press junket has been wild. Getting people scared about random things. Makes it harder to get them to pay attention when we talk about real threats.

I love these kinds of data piles. I haven’t gotten to slice and dice this one yet but Splunk has a super interesting view of the world so I’m looking forward to it. If I find anything really juicy I’ll make a twitter thread about it.

Community Spotlight:

Want to thank @hakluke for sharing these thoughts on mental health in infosec. I’ve been super public about my struggles with mental health and like to find content to help folks know they’re not alone in this.

From hakluke’s video:

• Half of all cybersecurity pros reported their sleep suffered due to work related stress

• Half of all cybersecurity pros say they’re working between 41-90 hours a week

• Half of all CISOs say their jobs have effected their mental health

… and then the real kicker as a nice cherry on top

• 97% of the C-Suite said that the security team could improve on delivering value on the amount of budget they receive"

So we have both a mental health issue and a perception of value added issue. The more we’re vulnerable about this publicly, the better for all of us. Use this as your superpower to grow your support community around you.

Please write to me and share stories or anecdotes for this section. It goes very well with the theme of being vulnerable together to share stories. I’d especially love to hear about your failures. What is a time you failed? What did you learn? How did it change your life?

Extra Credit:

Help Us Grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them! As of now, spread will just be by word of mouth.

Parting Thoughts:

Let me know how I can help as always.. If there's a topic you'd like to see covered in a future edition of the newsletter, or if you have any questions or concerns, please don't hesitate to reach out to us. I’m always happy to hear from our readers and help in any way I can.

Stay safe, Matt Johansen
@mattjay