What Ted Lasso can teach us about cybersecurity leadership

The show Ted Lasso took Apple TV by storm, winning Emmies and the population's hearts. I recently discovered this tale of an American football coach hired to coach European football (soccer). Despite not knowing the game's rules, Lasso succeeds thanks to building his team on empathy and care.

I fell in love with the show due to its approach to leadership. Simply put: optimism and empathy can bring the best out of people.

I'll go a step further: Ted Lasso's style of leadership is the only way to make cybersecurity leadership work in an enterprise setting.

Let me draw the parallels between some problems inherent to security and the ways an empathetic leader can address them uniquely, whereas a traditional "authority" figure couldn't.

It's not about wins and losses

For me, success is not about the wins and losses. It's about helping these young fellas be the best versions of themselves on and off the field. (Ted Lasson, S01E03)

Ted Lasso repeats this to baffled journalists. In professional sports, this requires bold vision. In cybersecurity, there is no such thing as "winning" security. Security is never finished.

If a security leader measures success by the absence of breaches, they are looking at the problem from a pessimistic perspective. They will play "incident whack-a-mole", throwing money on technology and people in a reactive manner.

What is missing? As I wrote, security is akin to exercise. You build habits that make you stronger and healthier. On a long enough timeline, everybody suffers a security breach. The security team and its relationships in your organization will define the height of the impact and the duration of the recovery.

Security brings positive externalities:

Information security, both as an individual and a business, usually correlates with doing the right thing and doing things right. It becomes a question of ethics and integrity.

You are not just preventing breaches. You help build the best systems.

Security is about relationships

Throughout the series, Lasso insists on having "biscuits with the boss" daily meetings to get to know the team's owner. He surveys the players about the locker room quality and gets the showerheads fixed. He remembers birthdays. He values the feedback of low-level employees about game tactics. He listens and cares about the little things.

All the success I've ever had in security has been due to my relationships and my ability to influence people. Remember: security brings conflicts. It is at odds with market imperatives. It's costly and inconvenient most of the time. It's much easier to work on a solution when you know the person in front of you and what drives them. Caring about the details shows I value the individual, even when I'm about to tell them about how their system design needs to be started over because it's got more holes than Swiss cheese.

The most useful text I've ever read about security leadership comes from Google Cloud CISO Phil Venables:

The key to much of the success of the security program is, of course, the ability to leverage the work of everyone in the organization. Doing this is to align with their objectives, to be collaborative and, well, be nice.

Understanding people's motivations removes second-guessing and miscommunications. Being helpful to these individuals, in return, builds a base of support that is necessary to "inject" security into products and systems.

This matters even more knowing that top-down models are going out of fashion...

Push rather than pull

Roy: I've had it with your mind games and your stupid gifts. I mean, what even is A Wrinkle in Time?
Trent: It's a lovely novel. It's the story of a young girl's struggle with the burden of leadership as she journeys through space.
Ted: Yeah. That's it.
Roy: Am I supposed to be the little girl?
Ted: I'd like you to be. (S01E03)

A long thread of the first season revolves around Ted's ability to earn the team captain's trust. The foul-mouthed veteran just wants to wait it out until Lasso gets fired. The coach keeps reminding him of how valuable his leadership is and how it can be used to benefit the team until he wins him over.

What never happens is an alpha male dog fight. Despite the insults, Lasso never attempts to "break" the captain, or "show him who's boss".

In most security settings, getting this type of buy-in is the only way to deliver security initiatives.

See, the cybersecurity textbooks have one glaring flaw: it has been built by and for the USA Department of Defense (DoD) at its core. It has a strong military bias. What is the best attribute of the military? A strong top-down structure. Most companies in the civil world do not operate in the same manner. In tech, flexibility, experimentation and innovation are valued. You can't just force somebody to work on something they don't want to do. Drill Sergeants (or "Led Tassos" as we see on the show) will lose their teams in days.

In security, the threat of punishment does not work, neither does authority. "Do this or we shut you down!" is crying wolf. You will get second-guessed. People will argue against you longer than it would have taken them to fix their vulnerabilities. I've never seen it any other way, based on everybody I spoke with. "No director is ever going to sacrifice their quarterly objectives so I can work on security!", "It's your security thing versus my OKR". In business, the finite problems (quarters, objectives) often trump security.

Empowering individuals who do choose security is a preferable alternative. Many people do understand the core intrinsic value of security. Make sure to praise their behaviours.

It's not about being cheerful

In the first season, Ted Lasso benches his best player because he's being a prima donna. Yes, the character may be all puns and pop culture references, but he's not out there to be liked. He does make the tough decisions.

Threading the needle between building a relationship and being severe is one of the hardest skills in information security. The fact is, only using the stick will lead to people actively avoiding you. I've seen it happen! On the other hand, just patting people on the back makes you irrelevant. Organizations don't need yes-people: you must challenge your peers.

I know this may sound silly coming from me, who's had tremendous success building relationships thanks to my dad jokes, but being liked is secondary. In the end, it's about being relevant and setting your "hills to die on".

Got another lesson from Ted Lasso? I must admit, his most famous advice of "being a goldfish" doesn't work in security. Or does it? Tell me in the comments!