Jim Guckin

I had lunch last week with a friend who just landed their first-ever leadership role in InfoSec and not just any role, a leadership role. They’d been promoted from lead security engineer to head of security, at a company that’s never had a separate formal InfoSec leader before. The company had grown, and security had be intermingled with IT, now they wanted a little separation in the programs, but still be overseen by the CIO. Over tacos and mild panic, they confessed, “I know how to secure a network… but I have no idea how to lead the security team.” And let me tell you, that’s more common than you’d think. Climbing from the keyboard to the conference room is a major leap, and it comes with its own set of pitfalls. So, if you’re a newly minted security leader (or mentoring one), here are the five rookie mistakes I cautioned him about and how to avoid face planting into the firewall.

1. Going Full Tech Mode, All the Time

The Mistake: Leading like you’re still the lead engineer. You’re deep in the weeds of tooling, scanning outputs, and trying to rewrite the SIEM rules yourself.

Why It’s a Problem: While being hands-on shows you know your stuff, you’re now responsible for enabling a team to succeed. If you’re neck-deep in logs, you’re not looking up at the bigger picture like managing risk, aligning with business goals, or, you know, actually leading humans.

The Fix: Delegate technical tasks where possible. Focus your energy on strategy, communication, and mentoring. Empower your team to do the work with you, not around you.

2. Acting Like the Security Sheriff in Town

The Mistake: Walking in like a cowboy with a badge and a shiny new security policy, ready to lock everything down.

Why It’s a Problem: InfoSec isn’t about control it’s about collaboration. Alienating other teams (IT, legal, devs, even HR) by enforcing security through fear and restriction is a fast way to get ghosted in meetings and ignored in practice.

The Fix: Build bridges, not walls. Treat your peers like partners, not suspects. Ask questions, listen, and design security with the business, not against it.

3. Ignoring the Human Side of the Job

The Mistake: Treating your team like security tools with usernames.

Why It’s a Problem: Burnout, turnover, and disengagement are real threats and they can’t be patched with a firmware update. If your team doesn’t feel heard, seen, and valued, no amount of threat hunting will save your retention stats.

The Fix: Learn to lead with emotional intelligence. Check in. Say thank you. Recognize wins big or small (and mean it). People protect what they feel connected to, including each other.

4. Trying to Win Every Fight

The Mistake: Thinking your job is to say “no” to every risk and security exception request.

Why It’s a Problem: You’re not just protecting systems you’re enabling business. If you become the “Department of No,” people will work around you. Quietly. And dangerously.

The Fix: Say “yes, if…” more often than “no.” Look for ways to manage risk, not just avoid it. Be the person who finds a secure path forward not a dead end.

5. Skipping the Storytelling

The Mistake: Throwing data at the leadership/exec team like confetti and expecting them to be impressed.

Why It’s a Problem: CISOs and security leads don’t just secure the company — they sell the security mindset and nobody wants to buy what they don’t understand. If your board deck reads like a SIEM export or your metrics don’t connect to business impact, you’re losing the plot (and probably the budget).

The Fix: Learn to tell stories with your data. Show how vulnerabilities tie to risk, and how risk ties to revenue, reputation, or regulation. Translate your technical outcomes into business impact. And for the love of all that’s encrypted — drop the acronyms when you’re talking to the C-suite. Yet don’t go all doom and gloom on them either, there is an art to communicating security concerns, and it’s different for every company.

Now this isn’t a complete list of things that I talked about, but these are some of the themes I mentioned to him that build that foundation of a good InfoSec/CyberSec leader. I figured that there maybe someone out there in the same boat, and this conversation makes a great social media post. I did check with him before writing this, despite not mentioning any names (as I assume some might be able to figure out who they may be.

Being a first-time security leader is tough, but it’s also one of the most rewarding roles in the organization. You’re shaping not just systems, but culture. Avoiding these early missteps can set the tone for a high-performing, resilient, and respected security team. So take a breath, lead with purpose, and remember: the biggest threat you face might be forgetting to lead like a human.