Applying my management ethos and building high quality teams in Cybersecurity by Bill Hau (guest)

With permission from HPH publisher and the author to share an extract from Born 2 Hack: A Journey into the World of White Hats, Chapter 2: There’s no one way to do this. This piece shares how Bill Hau describes his coaching approach as ‘Manager as coach’ in his work.


My management ethos

I’ve honed my style of management working in mature organizations, major cybersecurity firms, startups, and smaller companies. The pool for cybersecurity experts is already quite small, and building a team of high-quality talents who are both intrinsically motivated and technically competent means I must tailor my leadership style to work with each of them.

  • From my days at school till now, one of my core principles that underpins my management philosophy has always been to learn from, and apply the best qualities of, every person I work with. Whether it’s giving one-on-one constructive feedback (not “shaming and naming” in a group), rolling up my sleeves to jump in and get things done rather than ordering commands, having my consultants’ backs and not throwing them under the bus in front of clients if something goes wrong, or reducing the amount of office politics, I try to acquire and use positive behavior and be a good example to others around me. It’s all about the team and not the individual. We all have positive and negative qualities, and I’ve learned to focus on someone’s best qualities and make sure each team member’s strengths fills a gap and are congruent within the team.

  • The second core principle I try to instill in the managers I work with is that we work for the consultants and our employees. We don’t work in a traditional pyramid where I’m the general who sits at the top and my underlings do everything I say. That’s normally what you get in mature organizations where politics sometimes trumps employee well-being and development. Instead, I develop an inverse pyramid where I believe our job as the manager is to make sure consultants and employees have all the tools they need and that they’re well looked after. When this type of setup is done well, it infuses loyalty and becomes part of the organization’s mission and culture.

  • This leads me to my third core principle: I have a flat management style, with no hierarchy in the teams I build. There are no sacred cows or politicking like you might see in other industries. Anyone—from a first-year graduate to a brilliant expert—can walk in to my office and tell me I’m an idiot and I’m doing things wrong. Then, it’s up to me to justify my reaction and my decision. Cybersecurity moves in such a fast environment that I have to quickly assess what someone on the front line defending against attackers is saying before I make what must be a swift decision on how to proceed.

    A siloed management structure, or one with multiple barriers, doesn’t work in our environment. An open communication channel can disseminate information to all the consultants so they can react quickly. This makes consultants feel safe to do their work or come to me with any issues. In cybersecurity, information is not power; it is an asset that must be shared, so I share everything unless it’s something strategic or confidential. When we all communicate clearly and transparently, everyone should understand the decision-making process. We can, therefore, focus on our collective mission, whether it’s facing the enemy and dealing with an attack or facing the client and ensuring we do a great job. Where there’s transparent leadership, everyone can succeed.

Lastly, I believe that you shouldn’t be afraid that people may be more intelligent than you. Someone on my team who is smarter than me doesn’t diminish my value, but rather, makes them someone I can learn from. And I want to hire and learn from the best. So, I tell consultants and teams I lead to always try to hire people who are smarter than they are.

it’s all about Building high quality teams

This work requires nurturing and building teams and supporting them through their career progression. One of my core responsibilities is hiring and building teams where there aren’t any. First, I find the talent—from referrals and networking —and recruit them to join me in my mission. Once they’re hired, the fresh pool of talent needs to become melded into one team, one culture, one philosophy of thinking. It all gets done very quickly. Then, they’re technically enabled to do their job, no matter where they live. The majority of new hires work from their home country. Recent college graduates are encouraged to visit the office environment, especially if they’ve had little corporate experience. New hires with at least five years of experience are more likely to start working remotely, but that depends in part on their maturity level. They must demonstrate their raw baseline talent before receiving the intensive methodology, tooling, and culture training that will enable them to work as one team from anywhere.

When you hire people from all over the world with different philosophies and from different educational systems, you sometimes have to break down cultural barriers so they can work together. If I hire someone in Australia and another in Norway, they have to be able to work cohesively while under pressure. Does managing different people in different time zones get challenging? Yes, it does. It’s challenging, and someone always loses out. Either the Australians will lose out or the Norwegians will. And as the distance between a head office and the geographic location of a remote worker grows, the communication level dramatically degrades, and people from both remote locations will, at some point, feel cut off from the mothership.

One of the keys to successfully managing a team is making yourself available to them.

My team-building methodology is usually structured, but because I’m in a fast-paced startup environment, something occasionally slips through the cracks. It’s not like working for an IBM where there are multiple bodies, departments and a large pool of resources. When I’m switching hats between setting up teams, proving results, and training new hires, a lot of things happen at once.

Our current industry environment makes it fairly easy to find “a seat on the bus.”

  • If you’re technically strong but don’t have soft skills, you’ll have an easier time than if you excel at soft skills but have little to no technical talent.

  • If it’s the latter, you’ll still find a seat, but there will be fewer choices available.

This is an important distinction to make because in a dream scenario, every team member is well-rounded and possesses all the skillsets, especially on the consulting side, which involves dealing directly with clients. Who wouldn’t want everyone they hire to have strong technical skills, be great with clients, perform detailed quality assurances, be able to travel, and be available to work no matter the time zone? I know I would. But I’ve found in building teams that the junior members are highly technical and have less management and soft skills, so they need nurturing and training in those areas. It’s also easier to build on their raw technical talent and train them into management roles than it is to turn those with strong soft skills into technical specialists.


To connect with Bill Hau


Bill Hau is truly passionate about defending the innocent from all the bad that is out there in the cyber world.

He has spent the past decade immersed in the field of information warfare-assessing/ breaking into computer systems and helping governments and organizations defend themselves from massive sustained cyber-attacks. His mission has taken him all over the world working with different cultures across many geographical/political boundaries. He has lead incident response teams for attacks perpetrated by a variety of threat actors, including nation states, organized crime groups, as well as hacktivist groups. Many these attacks have been reported in the world’s press.

His management experience includes the building and training teams on a global scale, for organizations such as Cylance, Mandiant/FireEye, Foundstone, IBM, Internet Security Systems, and McAfee/Intel.

Bill has taught and presented at many venues worldwide, including universities, corporate headquarters, government facilities, and Black Hat (Las Vegas)