Power Dynamics in Security Leadership: A Legato Leitmotif Lullaby on Leading Lightly and Luminously

Please we're welcoming our last speaker of the day, Suraiya Rosenberg. Please give her a round of applause.

You can get started. Hi, I'm Suraiya. I've been responsible for securing one of the largest cloud environments in the world. And I've been responsible for securing one of the largest CDNs in the world. Why did I bring that up? That's not directly relevant to the subject of this talk. But you accepted it as though it was. Why? Because the positions that we hold confer power. I'm more credible as a speaker and as an epistemic knower of things because of the positions that I have held. I want to equip you to understand the terminology and the concepts of power dynamics in security leadership. So, why should you listen to me? I spent the last several years writing

about power dynamics and management because I have three special interests. Power, management, and communication.

Slides are auto advancing. You should stop.

Um So, I started learning about the academic foundations of power dynamics through courses in psychology, sociology, and philosophy. But more specifically, I've learned about power not only through courses and books, but because my lived experience forces me to. My lived experience requires me to be efficient and intentional with my use of power because the stigma that I experience burns holes in my ability to collect or leverage traditional forms of power. The classic management books and courses and ideas, they don't work for me. I'm a highly effective leader because I have been forced to learn how to lead. Spoiler warning. This talk will contain a modest assortment of spicy interjections. If you prefer a sanitized version of

this talk, please enter the following command into your nearest bash terminal. Some of you may have noticed that this looks like a fork bomb. It's not. This command just ends itself. It's not okay to use power to harm someone else. No idea what's causing auto slide advance. So, this looks like a fork bomb. It's not. It's not okay to use power to harm other people. This is a lesson in power dynamics, the ethics of power dynamics. It doesn't matter if you disagree with someone, you do not harm them. Unless they're fascist. The bear and the fish do not come to the table as equals. Almost every SRE or sysadmin has horror stories about working with security

teams, because for decades authoritative security teams were the dominant paradigm across the industry, and then there was a shift towards security not being the department of no. Guardrails, not gates. But now, both inside and outside of security, there's a shift across the industry back towards forceful directive authority. It's important for you to know that every time you use authoritative power, it is a trust withdrawal. The impact is small if you're thoughtful and careful, but it's always a withdrawal. You can regain that trust if you're careful about your impact, if you're transparent about your out- outcomes that you're trying to achieve, and your approach, but remember that trust is faster to lose than it is to build.

I want you to think about a time that someone was resistant to collaborating with security. Think about the power and influence that were involved in that situation.

What is the threat model for leadership? What are your assets? What are your risks? There's many different things involved. But first and foremost, the trust of your team and your colleagues. Trust is the life bread life blood that enables our work. So many leaders want people to trust them, but that's exactly backwards. In organizations, positions are typically appointed through the hierarchy of the organization and the authority of the organization. However, like trust, leadership is something that grows. It's earned over time slowly. It's slowly to build and quickly lost. Harrow says to Gideon in Gideon the Ninth, "I need you to trust me." And Gideon responds, "I need you to be trustworthy."

What's the goal of security leadership? Leadership is not a goal. So it could be, for example, composing and orchestrating security outcomes for an organization. But how can a single security engineer achieve that? A single electron cannot achieve anything. But a million electrons aligned and flowing in the same direction that sure amps things up.

I'm going to be introducing some new terms. I want you to understand why terminology is important to understanding concepts. If you do not have the words to understand a concept, you'll be less effective in trying to understand or communicate about it. For example, we need terms like misogyny and misogynoir to understand the oppression that is faced by women. Without these words, we are impaired in our ability to communicate and address that oppression. Wittgenstein said, "What we cannot speak about, we must pass over in silence." Now put simply, power is the ability to influence. Power isn't exclusively money or positions or authority. Power is the ability to influence. So for example, a manager holds the power to hire or to fire.

You can pick someone. Could you raise your hand, please? Thank you. That's power. Weber identified three types of authority. Charismatic authority, such as influencing someone to raise their hand. Traditional authority, such as the patriarchy, which was pretty sweet for some people. Not so much for everyone. Rational legal authority is, for example, a manager managing a team. Person in a position, a speaker with an audience. Now, as a context note, Weber lived in Germany at the end of the 19th century and the beginning of the 20th century. This was as industrial automation increasingly um produced a shift in the labor force. From manual labor increasingly towards knowledge workers, such as scientists or engineers. The late 19th century is known for

Taylorism and mechanistic scientific management. It runs based off hierarchies, hierarchical leadership and authority, measurements, and an analytical scientific approach for performance evaluation. It's like a microscope on every action. Modern management developed through the early the early 20th century into the mid and late 20th century due to the rise of knowledge workers and human relations. It was still strongly hierarchical, still had an attitude like the boss knows best. But there was an emerging investment into coaching and career growth, autonomy motivation teamwork. These management approaches continue to evolve into the end of the 20th century and beginning of the 21st century. The digital um greater adaptability in the digital age. Again, focusing on motivation, team autonomy, um

and generally a greater focus on human well-being.

So, all of these methods emerged because they're the most effective way to lead an organization. Heavy-handed and directive methods of change management, um they can be an appealing shortcut to drive something forward if there are urgent priorities or when workers are imprisoned by a hostile job market. But ultimately, methods like that will end up burning trust and worker motivation. Mary Parker Follett was a management consultant and philosopher at the beginning of the 20th century, contemporary to Weber. She's now known as the mother the mother of modern management. Now, for some reason I can't quite put my finger on, her ideas didn't rise to prominence until the end of the 20th century. Mary Parker Follett distinguished power

over from power with. Power over is a directive form of power.

Power over is a directive form of power form of power such as a manager who assigns work to a direct report. Whereas power with leverages empowerment to influence someone's actions such as a manager coaching a report. Again, I want you to be thoughtful when you think about power over using directive forms of power and avoid being directive or authoritative unless it's truly necessary. Such as incident response for Log4j. Or for example, a critical vulnerability that comes out week after week after week. Jumping on every single one of them. Seems like vulnerabilities week after week from the same company. It's a pattern I've seen somewhere. More of you would be laughing at that joke if you had done the pre-work by reading

Gideon the Ninth. It's okay. I want you to know that you can read it later. Like a stake through the heart. You'll get it in the end. Hannah Arendt defines power as a collaborative concept. Power corresponds to the human ability not just to act, but to act in concert. Coincidentally, part of the theme today. In her way of thinking, a leader doesn't hold power in and of themselves. Rather, there's collective power through the group. Power comes about through that collaboration, not through the individual leader. In this way of thinking, the power is held by the group. It's important to think about in people management, people management is not that form of power. The primary form of power in people

management is an authoritative power that is inherited through the organization and by the wider collection of people managers and the authority of that organization. That creates the imbalance manager report power dynamic. There are different forms of power. They exist all on top of each other layered. There are many forms of power that are meant that are held by a manager. There's the authority that they hold as part of the group, as part of the organization. There's collective power that they can hold as leader of a team. They can leverage power over, they can leverage power with. There's many forms of power out there. Some of these forms of power you wield intentionally. Some of those forms of power are there

no matter what you want. They're always going to be there. So, formal power like a manager's ability to fire that hangs like the sword of Damocles by a threat above every report's head. Now, context note here. Talked about Weber living at the end of the 19th century. Hannah Arendt lived through the mid-20th century. Hannah Arendt wrote these things after fleeing the Holocaust. As is a tradition among my people to flee in times of fascism. Or die is the which I'm given to understand is the populace preference. I bring this up because it's important for you to understand that power is not simply titles or charisma, influence, authority, force. Power is socially situated. In racial power dynamics,

in ethic in ethical power dynamics, in gendered power dynamics, in marginalized bodies, in classism, and so much more. There are many forms of power.

Talk about bringing this into a practical security scenarios. Influence without authority is the bread and butter of security leadership. We talked a bit about direction versus empowering, power over versus power with. Neither of these is strictly better or worse than the other. There are appropriate and inappropriate uses for each. For example, when a child runs into a busy street and a parent yells, "Stop!" That's an appropriate use of directive power. If I were to prank you into running harmful code on your laptop, that's an inappropriate use of power. Authority isn't leadership. Authority is force. Leadership involves more than just authority. Like directive power. Authority is something that is necessary in rare circumstances while often being inappropriate.

Choose how you lead and when you use the chain of command.

Let's go a little deeper. So, basic recipe for influencing security goals without authority involves four steps. First, establish rapport. Charismatic authority. Emphasize shared goals. Thinking about collective power, collaborative power. Providing security risk context such as the outcomes of a hypothetical attacker scenario. That uses Mary Parker Follett's concept of integration to bring in distinct perspectives that your perspective is combined with the perspectives of the different teams that you work with. And through your partnership, you integrate those perspectives in order to make a decision to move forward. And last, describe mitigation options. You could describe potential mitigating security controls within the attack chain. And that's not telling them what to do, telling them exactly what choice that

they have to make. It's giving them options. You've given them the context to understand the risk, the threats that are out there, the consequences, and the things that they can do about it. And together, you leverage power with to influence their decision in support of your shared goals.

Manager and report relationships are going to go back and forth between different kinds of power, power over, power with. There are going to be times where it makes sense to use power over, a time-sensitive pivot to change priorities within the organization. There's also many times where it's important to make sure that you're using power with, empowering someone through giving feedback, through supporting someone's growth, or to think about the core needs within the workplace. In security incident response, an incident commander is directive, delegating to incident responders. Maybe some of you are familiar with the concept of executive swoop. An executive swoop, an executive at a company, say director, VP, or a C-level, comes into an incident.

Maybe they're just standing there. Maybe they're asking questions.

Their presence there and their actions, they disrupt the incident. So, it's called executive swoop because it can change the incident, and it's often preferred to be avoided. Why is it disruptive? One reason is the power dynamics. The power that an executive holds, that they bring into that incident, it disrupts the directive power, the authority of the incident commander. Again, there are many forms of power that involved in all of this. Incident commander is using multiple forms of power. He's not just telling people what to do. They're also empowering people to take action. But the power dynamics held by the incident commander and the power dynamics among the responders is disrupted by the power that is wielded by the

executive.

Geese. Geese are two things. First of all, they're scary as When they come running at you, hissing and honking, with their wings spread, that's pretty scary. Two, geese are fragile as They have hollow bones. You know how brittle a goose is? And in your security roles, have you ever walked into a situation where people that you worked with reacted suddenly with upset and they reacted with anger? Can you think of a situation like that?

I remember an incident like that. You were trying to add an audit feature into our capabilities. We wanted to know that every time someone accessed customer data, we wanted to know who accessed customer data, when, for what reason. We talked about this goal and what we wanted to achieve through it and how we would do it. And our customer support team reacted with anger. I want to take a step back here for a second. They might have reacted defensively, no matter how we approached that. The history of how they were treated in the past became part of their reaction in that present moment. It doesn't make it wrong. So, you took a step back to understand,

where is this anger coming from? What are you afraid of? They were worried that we were looking over the show shoulder, that we were judging their actions. They were worried that we were going to interrupt their workflow, that they weren't going to be able to do all the work that they needed to do because they had to make extra clicks and write extra things into text boxes. It was going to disrupt their work. And they were afraid. So we step back. We found a way to think about this and said well what if we embedded this transparently? We can use the HTTP referrer, so we know that when you click to go into a customer's account, we know that you're

helping them. We know that you're helping this particular customer with this particular ticket. We know who you're helping. We know what you're doing. We know why, and we have a log of it. And you do not take any different action. It does not change your workflow. It provides evidence that you are doing your job. And everyone was happy. It's important to think about these situations. People can react with anger when they feel overwhelmed. People can react with anger when they feel that they don't have power in a situation. Hannah Arendt said, violence is the expression of impotence. Zero is not a target. Don't aim for zero upset people in your work. Don't aim for zero anger. Don't aim for

zero disagreements. The bear and the fish do not come to the table as equals. Now, Rollo May built on this. He said, he was thinking about Hannah Arendt as well and what she said. And Rollo May said that it is important to see that the violence is the end result of repressed anger and rage combined with constant fear based on the patient's powerlessness. He was writing this as a clinical psychologist, bit of a different scenario. But he's seeing the same patterns. Again, these scenarios are where someone is reacting with anger, with violence, with rage. It comes out of powerlessness. It comes out of repressed anger and rage.

Tranquility can be a warning sign. If someone isn't reacting, what's going on beneath the surface? What haven't they shared with you? Do they feel safe sharing their concerns with you? If not, that might bubble up and come up later. Actively engaging to question a situation is a prosocial behavior. Whereas exclusively, passively following instructions without question, can also end up being ultimately destructive. If you lead with curiosity and seek to understand why a behavior isn't intended to be destructive if someone is violent, or seek to understand why someone is being quiet, you can avoid a conflict and de-escalate a hard conversation into a collaboration. That being said, sometimes destructive actions are simply an abuse of power.

And not out reach of violence. Such as the supposed equal opportunity that is allowed to run rampant. The impact of a bully, of an of a genius jerk, we've all seen these scenarios happen. And the impact of these is never equal among their targets, regardless of the distribution of their behaviors. Again, power is socially situated. The bear and the fish do not come to the table as equals. This involves socially situated power dynamics, in addition to charismatic power, to authority, to role power, and other forms of power dynamics. They all exist layered in together. Let's put this all together. Go back to the security scenario that we talked about at the beginning. I asked you to think of a security scenario.

Think about that again. Take a moment to think about how different forms of power were involved in that situation. How did power show up? How could you have approached that situation differently, knowing what you know now? What are things that you might think about ask? How would you change your behavior? Does it change how you think about their behavior?

Few key takeaways I want to leave you with. The basic, power is the ability to influence. I implore you to lever leverage power with and collaborative power to build healthy security relationships to achieve security outcomes. Zero is not a target. Disagreements and discussions are healthy relationship building exercises. And finally, I implore you, use power for good. Thank you.

Thank you so much for for a great and inspiring talk. I hope it left everyone with thinking a little bit about their own interpersonal work or maybe personal relationships. Unfortunately, we don't have time for Q&A, but if you have any questions and if you agree with that, of course, you can come after the talk directly and ask if you have any questions. So, thank you again, sorry for great presentation. Have a small present for you as well. And yeah, please give another round of applause.

My slides are available on my website. And my website also has links to LinkedIn, social media, and my writing as well.