The Day Your Team Stops Waiting for You

Here is a question I ask new hires in my first one-on-one with them: "What would you do if I got hit by a bus tomorrow?"

It sounds morbid. It is also the most honest diagnostic I have for whether someone understands their own authority.

Most people freeze. A few give me a list of tasks they would escalate. Very rarely does someone describe a decision they would make independently. That gap, between task execution and independent judgment, is where most security programs quietly fail. Not during the incident. Long before it, in all the ordinary moments when nobody was building the muscle.

I run cybersecurity for a state government. Dozens of agencies. Hundreds of thousands of devices. A small team with significant authority and almost no margin for organizational chaos. If I disappear for a week, the work cannot stop. If I am wrong in a meeting, someone on my team needs to be able to say so. If an agency calls at midnight with an active threat, my people have to move without a permission slip from me. That is not an aspiration. It is a functional requirement of the job.

The problem is that most leaders, even well-intentioned ones, accidentally build dependency.

It happens through small choices. You answer the question your analyst was about to answer himself. You walk into the meeting your team lead was handling fine without you. You reframe the agency's concern in a way that implies your framing is the correct one. Every one of those moments feels like helping. From the outside, it looks like engagement. What it actually does is slowly drain your team's confidence in their own judgment.

Aviation safety culture understood this problem decades ago. The discipline builds something called crew resource management into its training. The principle is simple: the person with the most authority in the cockpit is not automatically the one with the best information in a given moment. So you build explicit norms around speaking up, around challenging a course of action, around the co-pilot being trained and culturally permitted to say "I don't think that's right." The hierarchy does not disappear. But it does not suppress the signal it needs most.

Security organizations rarely build this deliberately. We promote technically strong people into leadership roles and assume the cultural norms will follow. They don't. What follows instead is a team that executes well when the CISO is present and hesitates when the CISO is not. That is not a team. That is a well-staffed dependency.

The practical fix is not the Socratic method, though asking good questions helps. It is something more structural. You have to stop being the best deal in the room.

Here is what I mean. In most organizations, when someone escalates to the CISO, they get a better outcome than they would have gotten from the security analyst or the team lead. The agency gets more flexibility. The exception gets approved. The timeline gets extended. And everyone, consciously or not, learns that escalation is rewarded. So they escalate. Every time. For everything.

Flip that. Make escalation to you the option that produces the least flexible outcome. Not because you are being punitive. Because your staff, when properly trained and empowered, should already be offering the best reasonable decision. If they are coming to you, it means they held something back. And you need to understand why.

I tell my team directly: if you bring a problem to me that you already know how to solve, I am going to ask you what you think, and then I am going to agree with you, and we will have both wasted fifteen minutes. Bring me the problems you actually cannot resolve. Bring me the judgment calls where the authority you have is genuinely insufficient. That is the work I should be doing.

This reframes leadership as a circuit breaker, not a junction box. The current should flow through the organization without needing to route through me. I only enter the circuit when something is genuinely breaking.

The harder version of this, the one that takes longer to build, is training people to tell you when you are wrong.

I do not mean tolerating dissent in a general way. I mean building specific, repeated experiences where your team sees that challenging your thinking produces a better outcome and that you actually update your position. This is not natural for most organizations. Government especially. There is a strong norm of deference to the person with the most title in the room. That norm will get your agency breached, because the person with the most title is also the person with the most meetings, the most partial information, and the most political exposure shaping their instincts.

My deputy has standing permission to tell me I am wrong, publicly, in front of the room, without softening it first. I have told her this explicitly. The reason is not that I value being challenged for its own sake. The reason is that she often has information I do not have, and I would rather be corrected in the meeting than validated into a bad decision.

Building this takes longer than six months. It takes demonstrated consistency. Every time a team member challenges a call and gets a genuine, non-defensive response, the muscle gets a little stronger. Every time someone speaks up at 2 a.m. with an incident unfolding and says "I disagree with the isolation approach" and you actually stop and listen, the team learns that voice is an asset, not a liability.

The bus test I described at the start? I give it to new hires, but I also give it to myself.

What decisions am I currently making that someone on my team should be making without me? What meetings am I attending where my presence is suppressing better judgment? What conversations am I having that I should have already delegated, permanently, not just for this week?

The State CISO role carries real statutory authority. That authority is not threatened by distributing judgment to a well-trained team. It is multiplied. The program does not scale through my personal attention. It scales through a dozen people who have internalized how to think, not just what to do.

When your team says "we handled it" before you knew there was something to handle, that is not a sign that you are redundant. That is the job working.