Leadership Decisions and Actions for Secure Cyberspace Operations

by Walter E. Natemeyer, Carl W. Hunt and Chuck E. Hunt

“The cybersecurity business runs on fear, so it is appropriate that investors have learned to be afraid. While hacking seems like a long-term growth industry, security hasn’t turned out to be the surefire bet many thought it was.” [1]

This quote comes from a business article recently posted in the Wall Street Journal Online, discussing revenues for cybersecurity companies. More than a story about cybersecurity, it’s also a telling piece about leadership in the connected age of cyberspace. Whatever success we’ve had in developing secure cyberspace operations over the years has never been just about software and technology, but it’s always been about good leadership. It’s not just cyberspace “security” as the WSJ article points out. We also need leadership.

In recent posts, we’ve talked about the challenges leaders face about secure cyberspace operations (SCO) and the environments they face in orienting to those challenges. Last time, we discussed a valuable construct from John Boyd, called the OODA Loop, that leaders can leverage to orient to the environments of cyberspace and frame decisions and actions.

We’ve been laying the case that leadership in cyberspace, while sharing similar characteristics to leading in other operating environments, also presents novel challenges that did not exist before. Further, our increasing reliance on technology as a surrogate for leadership encourages us to minimize good leadership and management fundamentals and practices to the detriment of the organizations for which we are responsible.

In continuing our case for adaptive leadership and power for secure cyberspace operations (ALP-SCO), we now dig deeper into the kinds of leadership models that are well-suited for organizational success in the connected age.

There are two leadership models that can leverage the insights gained from applying LOD and OODA for ALP-SCO. [2] They are Situational Leadership (SL) [3] and Complex Adaptive Leadership (CAL), which is actually a variant of SL. [4] Situational Leadership was originally developed by Paul Hersey and Ken Blanchard at Ohio University in the late 1960’s.

Since we’ve focused on some of Nick Obolensky’s insights about CAL in previous posts, we’ll talk primarily about SL in this post. As Obolensky has shown in his book, Situational Leadership is a cornerstone of all adaptive leadership approaches.

More than 50 years of research has consistently shown that there are two critically important dimensions of leadership behavior: providing direction and providing support. A key element of leadership effectiveness is deciding the mix of the appropriate amount of direction and support to followers; the SL model helps leaders make that important decision.

SL embraces the belief there is no one best way to lead people. Rather leaders should vary their leadership style (i.e., direction and support) according to the unique demands of the situation and organizational environment. SL suggests that the most important situational factor is the follower’s performance readiness level with respect to what the leader wants the follower to do. [5]

There are four categories of performance readiness. The first level of readiness is called R1. At this level a follower is very unable to the job, very unwilling to do the job, or both. So, R1 is very unable and/or very unwilling.

R2 is a person who is somewhat unable but willing. This is a follower who is below average in ability but willing to do what the leader wants the follower to do.

R3 is a follower who has developed to a point that he/she is generally able, but not fully confident or perhaps not fully enthusiastic.

Finally, R4 is the highest level of readiness. This is a follower who has developed to the point where he/she is very able, very willing and very confident.

The key point of Situational Leadership is that it is the performance readiness level of the follower that determines the appropriate leadership style for the leader to employ. [6] Again, the SL Model is based on the two key dimensions of leadership behavior: direction and support. Let’s explore those two dimensions a bit more:

Directive leadership behavior is the degree to which the leader tells followers what to do, how to do it, when to do it, where to do it, who to do it with, when to have it finished, what standards to achieve and procedures to follow, etc.

Supportive leadership behavior consists of a variety of people-oriented behaviors, including the degree to which the leader takes time to engage in two-way communication and engage with what the followers have to say, how much encouragement the leader provides, how much feedback the leader gives, how much the leader praises the followers when they do a good job, how much friendly interaction the leader engages in with them, etc.

In the SL model shown below in Figure 1, Directive Behavior is represented along the horizontal axis, and Supportive Behavior is on the vertical dimension. The key point of SL is that the leader should vary his/her leadership style (i.e., amount of direction and support) according to the follower’s readiness level.


SL Variant Graphic

Figure 1 – A Model for Situational Leadership for Secure Cyberspace Operations

The SL model is broken into four sectors representing four distinct leadership styles. In the lower right sector (S1), the leader provides an above average amount of directive behavior combined with a below average amount of supportive behavior. In the upper right sector (S2), the leader provides above average direction and above average supportive behavior. The upper left sector (S3) shows a leader who provides below average direction with above average supportive behavior. And finally, in the lower left sector (S4), the leader provides below average amounts of both directive and supportive behavior. [7]

Second, there’s an additional dimension below the SL leadership style model that represents the readiness level of the follower. Notice that the readiness scale ranges from low readiness (R1) on the right to high readiness (R4) on the left, as we discussed above.

Notional steps for using Situational Leadership are as listed below:

  1. Start by assessing the performance readiness level of your follower with respect to the particular task that you want that person to perform
  2. Then virtually “plot” that assessment along the readiness scale shown at the bottom of Figure 1 (R1, R2, R3, R4)
  3. “Draw” a line from the readiness assessment to the corresponding leadership style
  4. The point of intersection indicates an approximation of the appropriate style to use with that person or group at that point in time, under the constraints of the cyberspace environment imposed

In future posts, we’ll describe in more detail how SL, CAL and OODA can work together so leaders can better appreciate follower readiness and the cyberspace environment they must integrate to make leadership style decisions. Below are some initial examples of integrating these concepts to support secure cyberspace operations.

Examples of Using Situational Leadership in the SCO Environment

R1 requires S1

If the followers are very unable and/or very unwilling to solve a SCO problem, a high level of direction from the leader is required. This category of SCO problem might include a blatant disregard for established password or login procedures, or repeated attempts to visit unauthorized websites. The leader needs to tell the follower(s) what to do, how to do it, etc., and at that point a low level of supportive behavior is required. This assumes that the leader is capable and experienced in relation to the problem and understands the rationale for the procedures that need to be reinforced. If the leader is not a capable R4, he/she needs to connect to an R4 expert to provide the needed direction and support to both the leader and the followers.

R2 requires S2

If the followers face a problem where they are somewhat unable but willing, the leader should provide a high level of direction and support. An example of this type of SCO problem might be seen where a follower repeatedly fails to delete or quarantine and report the receipt of phishing emails, given that such attacks are a favored intrusion vector for cyber criminals. The follower may be mature in other aspects of cybersecurity, but just has problems observing and orienting to the threats this attack vector imposes. The followers’ lack of ability requires high direction while their overall willingness should be reinforced with feedback, encouragement and praise.

R3 requires S3

If the followers are generally able with respect to their SCO challenge they face but they lack confidence or enthusiasm, the leader should provide a low level of direction combined with a high level of feedback, encouragement and praise. Here, the leader also reinforces good follower SCO behaviors, and even solicits techniques that may benefit the rest of the team or organization. S3 allows the followers to use what they know and provides the supportive behaviors required for the followers to increase their confidence and/or enthusiasm. R2 and R3 can sometimes overlap, so it’s important for the leader to exercise balance and discretion to help develop and encourage the follower.

R4 requires S4

If the followers are very able, willing and confident to deal with the SCO challenges they face, the leader should use S4 and delegate the responsibility to deal with the situation to the competent, committed and confident followers. In desired cases such as these, the leader is just as capable of learning about SCO from the follower as the follower is from the leader. Leaders in this case should also be looking for good cybersecurity techniques they are learning from their followers that might scale throughout the organization.

In SCO, it’s critical to note that any follower or leader can instantly become R1, regardless of his/her ability, willingness or confidence in other areas of the job. This is because new cyberspace threats arise frequently, often in what are known as “zero-day exploits,” which are attacks that arrive with no prior warning or intelligence indication. It’s important to understand that operations in cyberspace are still so new to many organizations that anyone can become an R1 at any time and thus need to constantly orient and adapt to the situation as both leaders and followers.

A key benefit of utilizing Situational Leadership is that it can significantly improve the performance of the follower. Therefore, leaders should develop the habit of continually assessing their followers’ readiness level – as well as their own – and take necessary steps to provide the appropriate leadership style (i.e. directive and supportive behavior). In cyberspace operations, nobody stays R4 very long.

In fact, in the dynamic environment of cyberspace, people’s readiness level is likely to be more volatile than ever. Therefore, to maximize success at building and maintaining SCO, leaders need to quickly adapt their style to the readiness level of the follower as well as the environmental characteristics that the massive interactions and connections that cyberspace presents. Also, leaders need to assess their own readiness level and seek direction and support from others who possess the appropriate experience, knowledge and skill with respect to the current situation.

Next time, we’ll talk about the interaction of leadership approaches and leadership power.

Originally posted 8-22-2016.

[1] Gallagher D., “Why Safety Is Hard to Find in Cybersecurity,” The Wall Street Journal, 8/16/2016, accessed 8/18/2016.

[2] This current series will not address in great detail the acquisition and use of power in cyberspace operations. Future additions will examine more deeply the role that power and influence have in the massively networked environment of cyberspace.

[3] For the latest textbook-based presentation on Situational Leadership, see Hersey, P., et. al., Management of Organizational Behavior, 10th Edition, Pearson Education, Inc., Saddle River, NJ, 2013.

[4] Obolensky, N., Complex Adaptive Leadership: Embracing Paradox and Uncertainty, Ashgate Publishing Ltd., Kindle Edition, 2014, p. 55.

[5] ALP-SCO extends that thinking to take into equal consideration the impact of the environments of cyberspace.

[6] And, in the case of ALP-SCO, subject also to the demands of the environments of cyberspace, as noted above.

[7] The term “average” is a simplified adjective that serves as a placeholder for the “ground truth” of the follower’s and the environment’s actual requirements on a case-by-case basis.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s