The Dark Side of Security Leadership

Why we do what we do and pitfalls

Author

Ayman Elsawah
February 09, 2025

This post got a little long, although still not comprehensive, but I hope it provides insight into how security teams work (or don’t) at organizations everywhere, and how we (on all sides) can improve.

Table of Contents

But first, the lighter side of things…

Why We Do What We Do?

If you’ve ever listened to the Getting Into Infosec podcast you would know that there are many different paths into the field of cybersecurity. Some were accidental, some were headed in that direction from an early age.

You may have noticed a pattern though.

They all had innate curiosity and wanted to solve a problem.

Call it altruism or whatever it may be, but cybersecurity people genuinely want to improve the security of their environment.

For us to be effective, and give good guidance, we have to know a lot about many different aspects and systems.

This job keeps us on our toes.

We are pretty damn good at finding the issues with a system, and if we’re worth our salt, we are good at coaching people on how to fix this, ideally with multiple options.

Dark Side

I would be remiss if I didn’t talk about the dark side of our jobs There is a lot unfortunately, but it often comes down to a few simple ingredients:

  • Misaligned expectations (on either side)

  • Incorrect amount of political capital

The result of which can lead to burnout and poor job satisfaction.

Remember, security people want to see a security system improve. 

Yes, we love finding issues, but we love even more when those issues are resolved and remediated.

Misaligned Expectations

This can come in many different forms, but they sometimes look like this:

  • Not enough vulnerabilities found

  • Vulnerabilities not remediated in a timely manner

  • Too many security incidents

  • Too few security incidents (yeah, we are to blame when all is well - the assumption is they exist but are not being found)

  • Too slow

  • Too fast

  • CISO’s speaking up too much

Again, these are typically the symptoms of misaligned expectations. 

Some of the root causes of these are:

  • Lack of security culture organization wide

  • Misunderstanding of an effective security program

  • Lack of budget

  • CISO’s reliance tools and not being problem oriented

  • CISO’s not communicating appropriately or in a language the business understands

  • CISO / Security mismatch in styles and approach

Incorrect Amount of Political Capital

I said incorrect, because the pendulum can swing both ways.

You may not have enough political capital and backing to actually be relevant or get changes done. This often depends on where you sit in the organization and the authority behind you, determining your effectiveness.

This can result in a token security hire that is ineffective and sometimes a scapegoat.

Not only that, but we often don’t control the remediation. Which puts us in a precarious position of relying on an outside group to complete the work, and finding a delicate way of not throwing them under the bus when it’s not done.

On the other hand, sometimes Security has too much power.

In that case, they are hated by their counterparts who are then reluctant to work with them or help them with their goals.

Security then gets frustrated and wonders why their job is so hard.

A Path Forward

If you’re on the dating scene, you may have asked a potential partner “How do you resolve problems?” or “How do you react when you’re angry?”.

One answer I heard from a potential was “Everything is solvable”. I loved this answer, as it communicated to me how they think.

So for those frustrated in or with Information Security teams, here is some salient advice:

Communicate Often

This is such a common mistake all around. 

  • Weekly & Monthly Status Reports

  • Quarterly Dashboards

Note: Remediation of issues may take longer than expected, especially when not under security’s control.

Talk to the right people

Sometimes it’s hard to tell who really is:

  1. In charge of security

  2. Cares about security to effect change

So figure out who’s who in the organization and what political capital they hold. This is especially true with leadership changes.

Speak their language

What does the business care about? Reputation? Sales? Stability?

Are they pre-product?

What are their customers concerned about?

Step back and get a pulse of the relationship

Have a check-in with your stakeholder(s) every so often. This is a healthy exercise no matter where you are, security or not.

Questions to ask:

  • How am I doing?

  • What could be better?

  • How can I help you?

Document your work!

If it’s not written down, it didn’t happen.

Use the same systems as your peers (Jira, Linear, Notion, Asana, etc). 

Many security teams keep their work hidden, but that doesn’t work anymore. Be transparent with your workload as possible. 

Break large items into smaller chunks. Comment and update tickets often.

Conclusion

At the end of the day it’s about human relationships and culture. 

Just like any relationship, both sides have to put in the work and effort to maintain it.

If you neglect it, then you drift apart and ask yourself all of a sudden how did we get here?

In Other News…

Here are some stories I ran into this week that I thought were interesting…

As mentioned, if security people are not enabled with budget, it’s going to be hard to fix things:

Only 3% of organizations have a dedicated budget for SaaS security - Help Net Security

Mid-market organizations are grappling with managing the large volume of SaaS applications, both sanctioned and unsanctioned.

www.helpnetsecurity.com/2025/02/03/mid-market-organizations-saas-risks

Some background behind yet another open source breakup. They have a webinar on Feb 20th, so I’m interested in hearing what they have to say.

Code-Scanning Tool's License at Heart of Security Breakup

Nine application security toolmakers band together to fork the popular Semgrep code-scanning project, touching off a controversy over access to features and fairness.

www.darkreading.com/application-security/code-scanning-tool-s-license-at-heart-of-security-breakup

Even giants have fails. This was a human error that led to a outage for an hour on what is supposed to be highly available storage (R2). Kudos to them for publishing a detailed incident report. Although, I would love to know exactly what knob or button in the Admin API was pressed that resulted in this, but it’s a public company, so will have to rely on conjecture lol.

Lastly, a tool that will convert an website into markdown! Wow! (Thanks Blake!)

Last week he had a special AI news episode with the release and confusion around DeepSeek. Good discussion. Other segments in this playlist.

Non-Security

My good friend Blake suggested the episode below. Wasn’t too hard as I’m already a big fan of the Hidden Brain. I found this episode apropos with today’s content as well.

Wellness 2.0: Who Do You Want To Be? | Hidden Brain Media

We all have to make certain choices in life, such as where to live and how to earn a living. Parents and peers influence our major life choices, but they can also steer us in directions that leave us deeply unsatisfied. Psychologist Ken Sheldon studies the science of figuring out what you want. He says there are things we can do to make sure our choices align with our deepest values.

hiddenbrain.org/podcast/what-do-you-want-to-be

Thanks for reading, have an awesome week!

About Ayman

Ayman Elsawah is a cybersecurity veteran with over 20+ years of experience in cybersecurity.

He is a Fractional CISO for High Growth Cloud Based SaaS companies with technical coverage areas including Zero Trust Architecture, Identity and Access Management, and Product Security.

He’s also an author, podcast host, and public speaker. He’s also the co-host of SC Media’s Enterprise Security Weekly with Adrian Sanabria. He is currently working on his own Youtube channel as well.

He’s a coffee aficionado and likes to take an empathetic approach towards information security management.

Reply

or to participate.