The views and opinions expressed or implied in WBY are those of the authors and should not be construed as carrying the official sanction of the Department of Defense, Air Force, Air Education and Training Command, Air University, or other agencies or departments of the US government or their international equivalents.

A Three-Part Leadership Framework for the Cyber Community: A Model of Trust, Risk, and Influence

  • Published
  • By Dr. John M. Hinck and Lt Col Charles “Gator” Spaulding

The Need for a New Theory of Leadership in the Cyber Community

This article explores how and why a new cyber leadership theory is needed for our military by extending work of past scholars, updating existing models, and offering a novel leadership theory specific to the cyber community. In relation to cyber, the theory reimagines how "leadership" is understood, conceptualized, and applied and provides the "what, why, and how" for any person to take up the leadership role. The new theory enables cyber leaders to be postured to take up the leadership role via trust, risk, and influence in the demanding cyber community and in relation to our strategic environment.

There is not a codified, agreed-upon theory on cyber leadership. Critical scholars discuss the importance of leadership skills to manage the technical stuff (technical competence), how to govern and formulate policy (policy competence), and, within technical and policy sources, there is some inclusion of how to conduct risk analysis and maintain resiliency (risk or resilience competence).[1] Yet, the literature lacks a foundation of a more formal leadership competence as the critical role of integrating the other three competency areas in the cyber community -- which is at the heart of what could be a meaningful contribution to cyber and leadership scholarship. In 2011, cyber authors claimed, “that successfully leading cyber warriors takes a different type of leader, one who is comfortable in the inherently technical cyber domain, appreciates technical expertise, and understands the personality types, creativity, culture, motivations, and intellectual capability of cyber warriors".[2] The authors got it right a decade ago, however, there is no accompanying leadership theory. “The challenge of a general theory is that to be useful on a macro level, it must be broad and general enough to appeal on a grand scale.”[3] A new cyber leadership theory that examines cyber leadership as a model of trust, risk, and influence would address how the leader thinks, feels, and acts. A leadership theory for the cyber community should avoid generalizations while capturing the culture and essence of what leadership means for cyber leaders. A short 2018 paper on "Effective Cyber Leadership: Avoiding The Tuna Fish Effect and Other Dangerous Assumptions" discussed the assumptions, constrained thinking, biases, etc. that preclude a leader from thinking differently.[4] Leaders, regardless of the field, should understand their blind spots, biases, and be able to think differently about challenging problems. Hence, a more holistic approach is needed that uses multiple perspectives. A new framework should adopt this notion and incorporate a multi-layered approach. A 2018 conference paper, "Toward Cybersecurity Leadership Framework", was the best one related to developing a new model yet used the existing cybersecurity frame proposed by the National Institute of Standards and Technology (NIST) and mapped leadership theories to the five functional areas.[5] The authors identified specific leadership theories to be applied in the preparation and response stages but did not offer a new theoretical construct for cyber leadership. Albeit an excellent start to a holistic approach, but limited in the framework and construction. Hence, this article answers two key questions:

1. What comprises a new cyber leadership theory or framework?

2. To what extent does a new theory/framework address how a leader in the cyber community thinks, feels, and acts?

To answer those questions, the authors employed a three-phase qualitative research design: informal questionnaires, follow-up discussions, and cross-case data analysis. A qualitative approach was used to honor the voices of leaders in the cyber community so that the data would be grounded in participants’ voices.[6] A total of 31 respondents participated (11 female/20 male and 10 senior enlisted leaders/21 officers) by answering three questions: how do you define leadership, how do you define “cyber leadership”, and what aspects are vital in defining leadership in the cyber community? Data was collected with informal questionnaires via emails and in discussions to follow-up on the data gathered. Data analysis involved manual coding and cross-case analysis to develop codes, categories, and themes.

What Cyber Leaders Said About Leadership in the Cyber Community

The findings are organized into four parts. Parts one thru three provide a recap of participants’ answers to the three questions. Part four shows the cross-analysis of the answers.

Leadership was defined as including elements of transactional, transformational, and common objectives.

  • “Leadership is the ability to guide and influence people to accomplish a goal or objective while also facilitating their growth and development.”
  • “Bringing people together and maximizing their talent to achieve well-resourced goals/objectives.”
  • “The use of experience, situational awareness, foresight, and problem-solving ability to determine the goal of an organization, and then using influence and authority to get followers to fulfill that goal.”

Cyber leadership was defined as requiring technical expertise, assessing risk, vision, and multi-level influencing.

  • “Technical expertise” was mentioned four times.
  • “Risk/Valuing risk/Assessing risk” was mentioned four times.
  • “…must be able to lead a scale to drive organization success, develop culture and win!”
  • “When Air/Cyber force can retain and promote people like Elon, Steve or Bill, who grew up technical but had a strategic mind, it won’t matter if we put cyber in front of the word leadership.”

The aspects that were key in defining leadership in the cyber community included mission-type orders that accept, mitigate, or pass on risk for operational effects.

  • “Should have a baseline informed by experiences.”
  • “…converting upward technical/tactical details into operational effects.”
  • “Demonstrated success….by both followers and superiors.”
  • “Mission command type orders vs. zero risk” and “not being risk adverse”

Four themes emerged from the cross-analysis of findings:

  • #1. Leadership includes transactions, transformations, common goals, and adaptability.
  • #2. Requires technical expertise, assessing risk, vision, and multi-level influencing.
  • #3. Mission-type orders that accept, mitigate, or pass on risk for operational effects.
  • #4. Baseline knowledge includes technical, policy/regulations, and risk assessment.

Answering the Research Questions

Answering the research questions is best done by connecting what the leaders (study participants) said with what scholars have said about the topics under study. Leadership does include elements of transactional, transformational, adaptive, and shared/common objectives. Transactional leadership involves the exchange between people of valued things and appeals to the self-interest of followers.[7] Transformational leadership, part of the Full Range Leadership Model, captures how leaders influence the morale, values, motivation, and performance of followers to a higher level of the moral ground using four components of idealized influence, inspirational motivation, intellectual stimulation, and individualized consideration.[8] Adaptive leadership is about mobilizing people to tackle tough challenges and thriving amid problems with no solutions in life and for organizations and the larger systems in which we operate.[9] Collective leadership or leadership focused on common objectives rallies people and their strengths that sees leadership as a role that can be taken up by anyone as part of a shared process.[10] The requirements of trusting (self) based on technical knowledge and experience, risk assessing in the (environment) toward accomplishing mission outcomes and influencing (others) to accomplish common goals for organization and partners/customers are integral to leadership for self and others.[11] The inclusion of technical competence, policy competence, and risk/resilience competence are inherent in leadership for and in the cyber community. Hence, a coherent and holistic leadership theory for the cyber community should encompass how the leader thinks, feels, and acts that integrates the three competencies.[12]

When combining the themes from what leaders said with what scholars have been saying about leadership in the cyber community, a new framework integrates three competencies (technical, policy, and risk) in how a leader thinks, feels, and acts that forms a three-part framework involving trust, risk, and influence. See figure 1 for the depiction of the framework.

  • Technical competence is about trusting (self/team) based on technical knowledge and experience.
  • Policy competence is about influencing (others) to accomplish common goals for organization and partners/customers.
  • Risk/resilience competence is about risk assessing in the (environment) toward accomplishing mission outcomes.

Figure 1.
Three Part Leadership Framework for the Cyber Community-A Model of Trust, Risk & Influence

Research Contributions, Next Steps, and Conclusion

The research provides eight key contributions to fields of cyber and leadership studies, as well as provides insights for practitioners and scholars.

  1. Empirically based insights into how and why a new cyber leadership theory/framework is needed.
  2. Extends arguments by past scholars and updates existing models.
  3. Offers a novel leadership framework, specific for the cyber community, based on participant voices.
  4. Provides that "what, why, and how" for any person to take up the role of leadership in the cyber world.
  5. In specific relation to cyber in the military, the new framework reimagines how "leadership" is understood, conceptualized, and applied regardless of the tactical, operational, or strategic level whether in cyber offense, defense, or IT areas.
  6. Potential to inform the Cyber Developmental Team on future officer leadership training and education.
  7. The new framework better enables the digital talent of cyber leaders to be postured to take up the role of leadership via trust, risk, and influence in the demanding cyber community.
  8. The new leadership framework examines leadership in the cyber community as a holistic model of trust, risk, and influence that addresses how the leader thinks, feels, and acts that integrates the three competencies.

There are four next steps to take to strengthen the framework that include 1) broadening data collection with larger participant pool, 2) defining terms based on upon further data collection, analysis in relation to the literature and DOD cyber policies, particularly in relation to the future direction and guidance of the cyber force, 3) determining the specific nature of technical, policy and risk/resilience competence, and 4) continuing to socialize the three-part leadership framework within the cyber and leadership communities.

This article showed the development of the Three-Part Leadership Framework for the Cyber Community: A Model of Trust, Risk and Influence based on the voices of leaders in the cyber community. The new model reimagines how "leadership" is understood, conceptualized, and applied, and shows how any person can take up the role of leadership in the cyber world. The new theory better enables the immense talent of cyber leaders to be postured to take up the role of leadership via trust, risk, and influence in the demanding cyber community.

 

Dr. John M. Hinck
Serving as an assistant professor at Air University with the Leadership & Innovation Institute (Air War College), Dr. Hinck teaches core courses and electives for AWC and ACSC, and teaches in the Leader Development Course (Eaker Center for Leadership Development). A retired Army Colonel with more than 22 years of service as a combat leader, two-time battalion commander, and Apache Longbow pilot, Dr. Hinck has several publications with recent ones on the strategic competition involving the Indo-Pacific region.

Lt. Col. Charles Spaulding
Serving in the USAF as a cyber leader, Lt Col Spaulding is a career officer with previous assignments as Squadron Commander in the National Reconnaissance Office, Instructor in the CSAF’s Leader Development Course, Cyberspace Weapons Officer, Warfare Center, Nellis AFB, and joint service on the Joint Staff Cyber Forces and Strategy Office. He is a graduate of the National Intelligence University and is currently in-residence at the Air War College.

 

NOTES


[1.] Simon Cleveland and Marisa Cleveland, "Toward Cybersecurity Leadership Framework" MWAIS 2018 Proceedings (Association for Information Systems, [Atlanta, Ga.], 2018), 49. http://aisel.aisnet.org/mwais2018/49; Gregory Conti and David Raymond, "Leadership of Cyber Warriors: Enduring Principles and New Directions" Small Wars Journal, July 11, 2011, http://smallwarsjournal.com/blog/journal/docs-temp/811-contiraymond.pdf; Andy Cohen, "Effective Cyber Leadership: Avoiding The Tuna Fish Effect and Other Dangerous Assumptions" The Cyber Defense Review, 3, no. 2 (Summer 2018), 47-52, https://www.jstor.org/stable/10.2307/26491222.

[2.] Conti and Raymond, "Leadership of Cyber Warriors".

[3.] John M. Hinck, "Mapping Leadership Theories to Leader Development Course Content - A First Step in Measuring Curriculum Redesign" International Leadership Journal, 13, no. 3 (Fall 2021), 152-187.

[4.] Cohen, "Effective Cyber Leadership".

[5.] Cleveland & Cleveland, "Toward Cybersecurity Leadership Framework."

[6.] Barney G. Glaser and Anslem L. Strauss, The discovery of grounded theory:  Strategies for qualitative research. (Chicago: Aldine Publishing, 1967); Michael Patton, Qualitative research & evaluation methods (4th ed.) (Thousand Oaks California: Sage, 2015).

[7.] Bernard M. Bass, Bruce J. Avolio, Dong I. Jung, and Yair Berson, "Predicting unit performance by assessing transformational and transactional leadership" Journal of Applied Psychology, 88, no. 2 (April 2003), 207-218; J. M. Burns, Leadership. (New York: Harper & Row, 1978); Deanne N. den Hartog, Jaap J. Van Muijen, and Paul L. Koopman, "Transactional versus transformational leadership: an analysis of the MLQ" Journal of Occupational and Organizational Psychology, 70, no. 1 (March 1997), 19-34. https://doi.org/10.1111/j.2044-8325.1997.tb00628.x

[8.] Bernard M. Bass and Bruce J. Avolio, "Transformational leadership: A response to critiques," in Leadership theory and research: Perspectives and directions, eds. Martin M. Chemers & Rosa Ayman (San Diego: Academic Press, 1993), 49-80; James M. Burns, Transforming leadership (New York: Grove Press, 2003); Gary Yukl, "An evaluation of conceptual weaknesses in transformational and charismatic leadership theories," Leadership Quarterly, 10, no. 2 (Summer 1999), 285-305.

[9.] D. Scott DeRue,  "Adaptive leadership theory: Leading and following as a complex adaptive process," Research in Organizational Behavior, 31 (2011), 125-150; Ronald Heifetz, Leadership without easy answers (Cambridge, Mass.,: Belknap Press of Harvard University Press, 1994); Ronald Heifetz, Alexander Grashow, & Martin Linsky, The practice of adaptive leadership: Tools and tactics for changing your organization and the world (Boston: Harvard Business Press, 2009).

[10.] Noshir S. Contractor, Leslie A. DeChurch, Jay Carson, Dorothy R. Carter, and Brian Keegan, "The topology of collective leadership," Leadership Quarterly, 23, no. 6 (December 2012), 994-1011; Gill Hickman & Georgia Sorenson, The Power of Invisible Leadership: How a compelling common purpose inspires exceptional leadership (Thousand Oaks, Ca.:SAGE Publishing, 2014); Nathan J. Hiller, David V. Day, and Robert J. Vance, "Collective enactment of leadership roles and team effectiveness: A field study," Leadership Quarterly, 17, no. 4 (August 2006), 387–397; Craig L. Pearce, Jay A. Conger, and Edwin A. Locke, "Shared leadership theory," Leadership Quarterly, 19, no. 5 (October 2008), 622-628.

[11.] The requirements of trusting (self) based on technical knowledge and experience, risk assessing in the (environment) toward accomplishing mission outcomes and influencing (others) to accomplish common goals for organization and partners/customers are integral to leadership for self and others were comprised from eight sources: Kevin Cashman, "Eight principles of purpose-driven leadership, online article from success.com/8-principle-of-purpose-driven-leadership," in Leadership from the inside-out: Becoming a leader for life (Oakland, Ca:Berrett-Koehler Publishers, 2017); Cleveland & Cleveland, "Toward Cybersecurity Leadership Framework."; Hickman and Sorenson, Power of Invisible Leadership; Hinck, "Mapping Leadership Theories"; David Horth and Dan Buchner,  "Innovation leadership: How to use innovation to lead effectively, work collaboratively, and drive results" Center for Creative Leadership, 2015, ccl.org/wp-content/uploads/2015/04/InnovationLeadership.pdf; Mark Mendenhall, Global leadership: Research, practice, and development (New York: Routledge, 2018); William Mobley and Elizabeth Weldon, eds., Advances in global leadership, Vol. 4 (Amsterdam:Elsevier, 2006); Mary Uhl-Bien, and Michael Arena, "Complexity leadership: Enabling people and organizations for adaptability," Organizational Dynamics, 46, no. 1 (January - March 2017) 9-20,  http://dx.doi.org/10.1016/j.orgdyn.2016.12.001; Gary Yukl, Rubina Mahsud, Shahidul Hassan, and Gregory E. Prussia, "An improved measure of ethical leadership," Journal of Leadership & Organizational Studies, 20,  no. 1 (February 2013), 38–48.

[12.] Cleveland & Cleveland, "Toward Cybersecurity Leadership Framework."; Cohen, "Effective Cyber Leadership"; Conti and Raymond, "Leadership of Cyber Warriors."

Wild Blue Yonder Home