REPORT
Unlock the State of Pentesting 2023! Explore 3,100 pentests with expert insights on vulnerabilities, security challenges, & maximizing pentest value.

How to Embed and Nurture Ethical Fiber into your InfoSec Team

Building and managing an ethical culture for long-term resilience

By Sam Havelock | Former Navy SEAL Commanding Officer

Categorically, everything I know about leadership I learned in the Naval Service. First as a young enlisted Marine, then a Marine officer, and later, a Naval officer in the SEAL Teams. The Naval Service, which encompasses both the Navy and the Marine Corps invests extraordinary resources in each and every service member to teach, train and emphasize ethics. Can you train someone on ethics? Absolutely…and that’s a good thing for information security team leaders.

The Department of Defense takes people from all walks of life and manages to instill a system-wide expectation of high ethics. Because of the nature of warfare the military relies heavily on centralized planning but decentralized execution which requires a high level of trust. Service members are expected to be ethical warriors, steeped in core values. As you consider your information security team and the multitude of critical decisions it faces, ethics are paramount to driving initiative, autonomy and flexible execution for the best possible outcomes.

To maintain a high-performing team that operates with innovation and agility, start with an ethical culture. Don’t expect ethics to arrive in a tense security breach just at the moment you need them. As a CISO, there will come a time when you are powerless to influence the people on your team operating at the edge of a security incident. They will make decisions in the moment and you will have to live with them because as their leader, you are ultimately responsible. Ethical fiber must be woven throughout your organization ahead of time so that leaders and team members, from the top to the bottom, can be trusted and accountable to take positive action in the absence of oversight and orders. The hallmark of a high performing team is when people do the right things when no one is looking.

Three Action Steps to Increase Ethical Fiber

Ethics are the moral principles that govern a person’s behavior. Establishing and maintaining an ethical culture starts at the top. Key actions you can take to weave ethical fiber throughout your organization include:

  • Identifying the characteristics of ethical leaders.

  • Applying heuristics during the recruiting and hiring processes.

  • Making ethics a vital part of the culture through constant emphasis.

Free Range Leadership or Accountable? Which Leadership Style is Best?

After 21 years commanding different units in the Naval Service, I’ve observed junior leaders emerge typically along two different dimensions. One type of leader subscribes to a culture of accountability. The other type I refer to as a “free-range” leader that often possesses natural leadership ability but demonstrates situational ethics typically highlighted by taking shortcuts. CISOs should recognize which style of junior leaders are currently embedded in their teams and manage accordingly. To add a further element of complexity, highly talented performers can be hard to manage. You want bright, intelligent people who operate with a relative degree of freedom, but you need everyone to be grounded in an ethical foundation.

This constant level of tension and energy can produce excellent, capable teams. But if you don’t address the “free-range” leaders, they will take over your organization. Strive to reach a fine balance between nurturing your team’s creativity and innovation within a set of ethical boundaries.

Test for Ethical Fiber When Recruiting and Hiring

Information security professionals deal with sensitive information constantly. Ethics should be a primary driver in the recruiting and hiring process. It is easier to start with an ethical person and train them on specific skills for the job than the other way around. The Military service is proof you can train anyone on ethics provided you are willing to do the work to set and maintain a culture of ethics after the training. Interestingly, you can also test people for ethical predisposition. Behavioral indexes such as the widely used DISC profiles, administered and interpreted by trained professionals like SOFX performance coaches and recruiters can enable your hiring managers to determine which candidates are pre-disposed to operating from a basis of integrity. If your HR department is not using some of the more advanced DISC profile based behavioral surveys ahead of hiring, you should ask that they do. As a recruiting firm, we regularly use these tools in support of our clients’ talent recruiting objectives.

During interviews, make sure to discuss ethics and how vital ethical fiber is to your organization. If a candidate seems mostly motivated by salary, definitely dig deeper into their ethical background. Ask about a time when their ethics were tested. See how the candidate responds, and use your intuition on their comfort level.

Emphasize Ethics Consistently

An ethical culture is not created overnight. It is a complex process that requires time and effort. Just because your organization has identified leaders that exhibit strong ethics and accountability and can make hiring decisions based on a candidate’s ethical fiber doesn’t mean work is over. Make a consistent effort to bring ethics to the forefront with leaders and team members. Be transparent about security incidents and communicate constantly and thoroughly.

Let the team know that profitable, short-term, but unethical decisions are undesirable. And let your compensation structure reflect that ethics are paramount. Recognize that you can’t really control people — all you can do is influence them by setting examples and setting a culture of accountability.

Reflecting on a Life-or-Death Ethical Decision

While I was a SEAL Unit leader, I experienced several situations in which I entrusted my team members to make life-or-death decisions. During a particular deployment, my team was operating in a tense, sniper-filled environment when we were notified of a high priority mission. We were tasked with protecting a VIP dignitary’s arrival. To execute the mission, we positioned our snipers around the perimeter of the area where the distinguished visitor would arrive. Our snipers were tasked with hyper vigilance to look for any potential threats to the distinguished visitor. If anything happened to this dignitary, it would have caused an international incident.

In this situation, I was relying on each individual sniper to make life & death decisions — in terms of the safety of the dignitary, and also the decision to eliminate a credible threat. As the commander of the operation, I had a vantage point of the whole area from a rooftop, but I had no ability to see what each sniper was seeing. The snipers could only report to me over the radio. I could give guidance based on what they reported and what I saw. The single, standing order of this mission was “if you see someone point a gun at the distinguished visitor, shoot that person.”

As soon as the dignitary arrived, I received a radio call from one of my snipers who reported, “Sir, I have a problem. Someone is pointing a gun at the dignitary.” The standing order is to shoot that person. But there is complexity. My sniper reported that the person pointing the gun was from a different NATO unit, and his hand was not on the trigger. In this instance, I had to trust the situational understanding of my team member and I had to tell him to use his best judgment. If he took out a member of a fellow NATO unit, it would spark an international incident. But if anything happened to the dignitary when my team could have prevented it, it would have been the end of my career.

In the end, we were able to communicate within the NATO forces to clarify that there was no threat. In this life-or-death example, I had to trust the ethical fiber of my team to make the right decision.

This blog post was written by Sam Havelock.

Sam Havelock

Havelock commanded numerous operational units across a variety of echelons of SOF, including the battalion level. He was Program Manager for the United States Special Operations Command from 2011–2012 and was a Commanding Officer of the Naval Special Warfare Special Reconnaissance Team ONE (NSW-SRT-1) from 2008–2011.

Havelock is currently the Chief Executive Officer of SOFX Inc, The Special Operations Forces Network,** a **media-based information technology company organized as a socio-industrial network.

SOFX’s mission is to provide information and connectivity of extreme value to special operators and a global network of high influence people, so that evil may be defeated and suffering averted at scale.

Back to Blog
About Cobalt
Cobalt provides Pentest Services via our industry-leading Pentest as a Service (PtaaS) platform that is modernizing the traditional, static penetration testing model with streamlined processes, developer integrations, and on-demand pentesters. The Cobalt blog is where we highlight industry best practices, showcase some of our top-tier talent, and share information that's of interest to the cybersecurity community. More By Cobalt
Introducing Hacker Corner; Episode 1: Redteaming vs Pentesting Demystified
Introducing Hacker Corner! Hacker Corner is a podcast for hackers made by hackers. Join host Sheeraz Ali for episode one with guest Saad Nasir as they discuss redteaming vs. pentesting.
Blog
Dec 13, 2022