You Are a Technical Type

The other scenario that I have seen in my professional career is that the want-to-be security manager has a strong technical background (maybe a former hacker) and tends to solve all the problems technically. His main priorities are things like - demonstrate the coder how the website can be abused by XSS, or how to get access to network by hacking an old wifi router.

This is an extremely common scenario. Highly technical, “ex-hacker profile” security professionals often hit a career ceiling when moving into management because their strengths become their weaknesses:

  • They solve everything with technical fixes
  • They focus on exploits, not risks
  • They want to “hack it themselves”
  • They distrust delegation
  • They overwhelm non-technical teams
  • They don’t speak business language
  • They optimize for cool attacks, not organizational impact

This doesn’t make them bad — it makes them misaligned for leadership until they evolve their mindset.

Below is a clear, pragmatic framework for both these individuals and the companies trying to hire them.

The Two Evolution Paths for Technical Security Professionals

1. The “Hacker-to-Executive” Path (rare but hugely valuable)

This path requires unlearning habits and developing new ones.

They must shift from:

  • “Look what I can break.” → “What risk matters most to the business?”
  • “I can hack this.” → “How do I build a repeatable control?”
  • “Let me do it.” → “Let me enable others to do it safely.”
  • “Tech-first.” → “Value-first.”
  • “I found a vuln!” → “This is the impact, likelihood, and mitigation options.”

A former hacker becomes a great CISO only when they stop proving how smart they are, and start proving how safe the company feels.

2. The “Technical Specialist” Path (often better for them)

Some technical security people should not be managers — they should be technical experts.

Roles where they truly shine:

  • Senior Pen Tester
  • Red Team Lead
  • Exploit Developer
  • Threat Researcher
  • Security Architect
  • Adversarial Simulation Lead
  • Cloud Security Engineer
  • Detection Engineer

They can earn as much or more than managers without the pain of managing people or doing politics.

Not everyone needs to be a CISO.

Why These “Hacker CISOs” Struggle in Management

Common failure patterns:

  1. They fight devs and ops, instead of building partnerships.
  2. They focus on vulnerabilities, not systemic risk.
  3. They drown people in technical details that are irrelevant to business.
  4. They don’t scale, because they insist on doing instead of delegating.
  5. They avoid communication, documentation, and governance.
  6. They see themselves as “defenders”, not enablers of business outcomes.

Companies often hire them thinking:

“We need someone who understands hacking deeply!”

But they really need:

“Someone who understands the business and can prevent cyber incidents from impacting it.”

These are not the same skill sets.

Recommendations for Individuals (technical security pros wanting to be managers)

1. Learn to speak in business terms

  • Impact
  • Risk
  • Cost
  • Trade-offs
  • Opportunity cost
  • Operational impact

Without this, you're not a manager — you're a technical SME with a title.

2. Stop hacking everything yourself

A leader’s job is:

  • Prioritization
  • Governance
  • Resourcing
  • Delegation
  • Strategy

Not proving they can still pop a shell.

3. Develop diplomacy

Security is 50% psychology, 30% communication, 20% tech.

4. Learn architecture, not exploits

You need to know how systems are built, not just how to break them.

Executives care about systemic weaknesses, not individual bugs.

5. Shift from “security guru” → “organizational force multiplier”

Ask:

  • How can I make 300 engineers more secure through process?
  • What guardrails will prevent the next 50 mistakes?
  • How do I make secure defaults effortless?

That's leadership.

Recommendations for Companies Recruiting Technical Security People Into Management

1. Clarify the role: “Technical leader” vs “Security manager”

If you want a manager, state:

“This job is 70% communication, risk management, strategy, and influencing — not hacking.”

If they want to hack, they will self-select out.

2. Evaluate soft skills, not just technical skill

Check for:

  • Conflict resolution
  • Presentation skills
  • Prioritization
  • Stakeholder diplomacy
  • Understanding of business constraints
  • Ability to simplify complex topics

A strong hacker with poor communication is a risk.

3. Provide a dual career path

Avoid forcing people into management for career progression.

Offer:

  • Principal Security Engineer → deeply technical OR
  • Security Manager / CISO track → less technical, more strategic

This reduces mis-hires dramatically.

4. Give them coaching and mentoring

Especially:

  • Executive communication training
  • Leadership coaching
  • Risk management courses
  • Shadowing a senior CISO

You can turn a hacker into a CISO — but only with structured development.

Bottom Line

A technical “hacker”-type security expert can become a fantastic security leader — but only if they shift their mindset from “breaking things” to “building a secure organization.”

If they don’t want to make that shift, then the healthiest path is for them to become a top-tier specialist, not a manager.

Both paths are equally honorable — but mixing them creates frustration for both the employee and the company.