The finalists for WashingtonExec’s Chief Officer Awards were announced March 25, and we’ll be highlighting some of them until the event takes place live, in-person May 11 at the The Ritz-Carlton in McLean, Virginia.
Next is Chief Information Security Officer (Government) finalist Eric Sanders, who’s CISO in the Office of Intelligence and Analysis at the Department of Homeland Security. Here, he talks biggest professional risk he has taken, proud career moments, what he has learned from failure and more.
Which rules do you think you should break more as a government/industry leader?
Challenge the status quo! I find that we often get in our own way. Time-consuming processes and low-value compliance mandates are just two of the many ways it happens. Whenever and wherever I can eliminate a low-value requirement or steps in a lengthy process, I will. That might mean a new FISMA finding, but I am OK with that.
I am also not big on rigid organizational norms. While I am careful to respect my leaders and the formalities they expect, I try to make it clear to my team that I am not concerned about traditional norms. If you have an idea, concern or complaint to share, or if you just want to respectfully challenge or debate an approach, I want to hear it.
What’s the biggest professional risk you’ve ever taken?
At a previous agency, the cybersecurity mission was split between two different organizations under different senior executive leaders. The bifurcation made finger pointing, inconsistency and confusion the norm. Programs suffered. It took forever to navigate the IT assessment and authorization process. Unfortunately, there was little appetite to fix the longstanding problem because it meant that someone was going to lose authority and resources, which is never received well by senior executives.
While politically and professionally precarious, I felt compelled to fix the issue — it was the right thing to do for the organization and the success of its mission. Agency leadership was watching, including the director and his deputies. If I failed, I was convinced it would probably never be tried again by anyone that followed me.
I engaged in very difficult negotiations to create what appeared outwardly to be a win-win for everyone. I eased the concern over the perception of losing a large part of the organization and a role in cybersecurity by giving them a larger role in another cybersecurity function and agreeing to absorb some of the budget impacts associated with the changes.
As a GS-15, I was punching up, but I achieved the outcome I sought. It was, perhaps, one of my most significant professional accomplishments and vastly improved the A&A process for the agency.
Looking back at your career, what are you most proud of?
There are two successes that come to mind. When I took over as CISO at a prior agency, employee opinion surveys for the cybersecurity organization were among the lowest across the workforce (contractors and government). People didn’t feel connected to the mission. They didn’t have a sense of belonging or believe that their ideas mattered.
Being passionate about servant leadership and believing that people are the most important part of any mission, I was compelled to make things better. Much better. However, reality was setting in. Not only was this my first time as a CISO, I was also at a new agency and went from leading ~100 people to leading over 400.
For the first time, the entire cybersecurity organization was my responsibility, and the challenges were numerous and non-trivial. In addition to the morale issue, the cybersecurity budget was constant fodder for other programs because it historically didn’t execute successfully.
I set out, as the saying goes, to eat the elephant one bite at a time. I assessed the entire program, reprioritized resources and reprogrammed all projects and expenditures. Ultimately, I was able to get budget execution on track for the first time in the history of the cybersecurity office.
But I am most proud of the turnaround in the morale of the office. I created a culture of transparency, collaboration and inclusion and established an agencywide cybersecurity strategy to guide efforts and investments. Opinion survey ratings improved dramatically. Three of the areas with greatest improvement were work-life balance, employee development, and diversity with favorable scores of 96%.
A past mentor in my life said many times, “Take care of the people and the mission will take care of itself,” and it was certainly true for the cybersecurity office.
What’s one key thing you learned from a failure you had?
Don’t rely on one leadership style! We all have leadership styles that come naturally to us; I prefer to take a laissez-faire approach and give my team the independence and latitude to get the work done however they choose.
I am also big on taking a participative approach in many situations and will be authoritative when appropriate. Those approaches are in my wheelhouse, normally work very well and usually result in successful outcomes. However, there are situations where a different style is needed to be successful.
Personally, I despise micromanagement and avoid it at nearly all costs. That aversion almost resulted in an unacceptable failure. That close call taught me that there are times and situations where I must step out of my comfort zone and take a more active role in a project than I would like to achieve a successful outcome.
What’s your best career advice for those who want to follow in your footsteps?
Challenge your own ideas, be inclusive and never stop learning. I think many leaders believe their natural brilliance got them to where they are and will get them to where they want to go. Those leaders tend to have too much confidence in their beliefs, which can lead to a biased or myopic view of the world and the workplace.
If you are willing to truly challenge your own ideas and assumptions and welcome differing viewpoints, your decisions will almost certainly result in better outcomes. You must be deliberate about it.
Lastly, if you aren’t investing in yourself on an ongoing basis, your value to others and the organization will diminish over time.