Skip to main content

Thoughts for a New Leader

What follows is a list of thoughts crafted in an airport terminal in San Jose, California hours after completing my first attendance at the RSA Conference. This also happens to be the anniversary of my first year as a people leader in the security engineering space. (I had previously mentored and led soldiers in the US Army and in various other civilian industries including Optical Lens Manufacturing and Operational Incident Response.) 


Know your role 

Moving from an engineering role to a people managing role brings a whole number of new challenges. If you're company is like any of the previous ones I've worked at, the "New Manager" pipeline may be...less than stellar.

Reach out to your HR teams and your boss/mentors for a list of things that you're going to need to do. Have you ever reviewed and approved PTO? Make sure you don't have your whole team off at once. Did they get their benefits selected during the enrollment period? What are they doing for training this year? How do you get them approved training, travel, etc...? Do you have hourly employees doing time cards? Do you have to review them?

You don't have to know all this at once, but its good to start determining what new administrative and "people tasks" you'll be handling in the next week, 30 days, quarter, and year. 

Know your team's responsibilities

If you're being promoted from within your own team, this may be a little easier. Even then, its a worthwhile exercise. Take stock of all the tasks that your team is supposed to complete. Are you a project team? What documentation is required for a project? Do we have templates? How long does it take to complete? How often do we do it? Are there any tasks that only Bob or Alice do? 

Now's a good time to start documenting at a minimum a list of what your team does and the services they offer and who can do them. I also like to see if there are single points of failure that I need to be mitigating for.

Once you know what your team does, its time to determine how. Stay away from major changes at first, you've got a lot on your plate and you may create resentment if you start trying to change the How's. Instead try to understand the how's not why's. This is a great time to start asking the team about documentation and find who does and doesn't have processes. Is the process in Alice's brain? Or in Bob's 10k outlook messages? If so, find a place to start compiling the team's documentation. We don't need to pick a perfect place to store it yet, or make sure its all in the same format or that its even well written. Just get a nice pile of what you have in one place.

Some imperfect documentation is better than no documentation.

Next determine what business processes you're supporting. If your whole teams wins the lottery tomorrow, what happens? Can we support these processes if Bob isn't here? Alice?

Know your people 

Start setting up those one-on-ones and keep them. Nothing is more important than your team. If you do have to cancel or reschedule for some reason, make up the meeting as quickly as possible. Within the same day if possible. Your people deserve a leader who cares and you should care and show it. 

A manager manages resources (people, time, equipment). A leader makes new leaders. 

Each team member has desires, plans, hopes for the future, etc...Talk to them and find out what those are. Some of your team members want out, help them plan to get out. Some of your team members want to reduce their meaningless work and do something new. Some have ideas of how to improve the team and the processes. 

All these are opportunities to build trust, and lead people. Align their desires with your teams goals, and see what cool things you can build together. I've rarely had a team that knew I cared about them, not be willing to step up and do hard or boring things when the time required. 

Managers who didn't care for their people, find themselves standing alone when hard and uninteresting work comes along. 

Also, I mentioned above, some team members want out. Having attrition on your team isn't always a regrettable thing. This deserves a deeper post all on its own, but if a team member has grown outside their role, and the company can't reward or reimburse that growth, it's time for them to go. Encourage them to seek out new employment, even within the company. Push them out of the nest if you have to, but don't keep a over-performer under-appreciated, in salary, in title, or in recognition. 

Everyone should be getting paid twice. Once in experience, and once in cash. If you're not getting one, you better be getting a LOT of the other.

Know your leaders

Hopefully, you've got a good leader, you know well. One who mentored you and guided you into your new position, but if not, it's time to start learning. You're in a relationship with your leaders whether you think of it this way or not. You both hopefully have the goal of making your team successful, growing and maintaining your employees, and limiting the amount of negative attention on your team and by proxy you and your leader. 

Knowing we have these goals in mind, lets find out what your leader thinks success looks like. Now's also a good time to show what your team is working on. You gathered up all those lists of responsibilities from your team, right? Find out if your leader knows you're working on the things you're working on. Is any of it a surprise? Is anything missing? 

When I asked my leader, I was told success was three things. 

1) Taking care of my employees. (All those people tasks.)

2) Completing the tasks assigned to our team. (Managing the resources and responsibilities of our team.)

3) Making the team look good to external parties. (Building up, promoting, and partnering our team with the rest of the org. Praise publicly, correct privately.)   


I also like to set expectations with my leaders as to "delegation" levels. If you're not familiar with the concept, it can be summed up in the following. 

1) Collect information, and I'll tell you what to do.

2) Collect information, and make a recommendation, and I'll tell you what to do.

3) Collect information, and tell me what you're going to do, I'll approve or redirect. 

4) Collect information, and take action and inform me of the results.

5) Collect information, take action, and let me know if something goes awry. 

Since most conflict is derived from unset and unmet expectations , set and meet expectations! Knowing your leaders delegation on any specific topic can do wonders for your relationship.

Know your peers

You're in a new social class whether you like it or not. Your former individual contributor peers are now your subordinates and you're a company man (or woman). That means you're going to need new friends and peers that are read in on the same information as you. We're not talking classified info, but there's a lot of chaff and nonsense in the air at any given time. If you're taking care of your team, you're going to be shielding them from as much of it as possible.

There's going to be discussions of cost reductions, and cutting here or there, discussions around reviews (and review distributions), rumors of purchases, divestments, legal and law enforcement conversations, all kinds of embargo'd things you now have an ethics wall preventing you from discussing with your former peers. 

Meet your new peers, find out what's working for them, and what isn't. Where does their team have frustrations with your team? Find out what their goals are, what are they working on? And what have they worked on? This is a great time to learn how your teams can work together to both look good. This is especially true if your team is dependent on that team to be successful. (E.g.; Security teams coordinating with their app, dev, net, and infra teams!)

 And their teams

Meet your new peers, find out what's working for them, and what isn't. Where does their team have frustrations with your team? Where does your team perform really well? What issues are they having with their leaders? And what are their leaders good at? What about their team members? 

I had a great situation previously where one of my management peers had a team member struggling with organization, task tracking, and distractions. Instead of my management peer coaching the employee, they knew I had a beneficial system for my team, and had me teach it to their team. Vice versa, I had a management peer with an individual contributor that could have administered a meeting between a sheep and a lion without either taking any damage. (The dude missed his calling as a hostage negotiator!). He came and gave a course to my team to help them manage high stress situations.

Popular posts from this blog

LibWebP (CVE-2023-4863)

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms. A similar CVE ( 2023-5217 ) is pending analysis for the VP8 webstream video format (a sister library to libwep.) As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications. Patch Browsers, All of them All major and minor browsers acr

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.