A Discussion with Melbourne, Australia’s, Thomas Leen: “Building Trust is the Foundation to a Healthy Work Environment”

1. Can you please tell us a little bit about yourself and your professional background? I am a computer engineer by qualification and have worked in technology for close to 29 years. Having lived the early part of my life in western Africa, I was fortunate to have a career in IT that took me […]

The Thrive Global Community welcomes voices from many spheres on our open platform. We publish pieces as written by outside contributors with a wide range of opinions, which don’t necessarily reflect our own. Community stories are not commissioned by our editorial team and must meet our guidelines prior to being published.
Thomas Leen
Thomas Leen

1. Can you please tell us a little bit about yourself and your professional background?

I am a computer engineer by qualification and have worked in technology for close to 29 years. Having lived the early part of my life in western Africa, I was fortunate to have a career in IT that took me to almost every continent in the world and I have lived and worked in the Middle East, Africa, Asia, Australia and USA. This allowed me to experience and appreciate different cultures and traditions. From a technology perspective, during the initial years of my career I used to work on Unix systems and networking technologies such as token ring that are obsolete today. Along the way, I also held several industry certifications and progressively worked through most technologies that evolved. A big breakthrough in my career came when I was assigned a role that involved building LAN/WAN solutions to securely connect multiple offices in the emerging markets region of a large multinational company.  

I started my career as a programmer and then transitioned to hardware and network engineering. During the late 90s I got the opportunity to work in a major telecommunication multinational corporation. This is where I got my first exposure to Information Security as part of my role to protect the company’s sensitive electronic data such as product designs and blueprints. Six years later in 2003 I got my CISSP certification. Information and cyber security at various levels have been part of my accountability since then. In 2006 I got the opportunity to join the automotive industry where I worked for the next 10 years in roles various global roles covering Infrastructure, Operations and Cybersecurity. One of my key achievements in this company was the successful development and execution of a next generation Cybersecurity transformation strategy that successfully implemented a global cyber and information security capability globally. After 10 years in the automotive industry I got the opportunity to join a major organisation in the resources sector as their first CISO, to help transform their cybersecurity capability and build a team of world class cybersecurity professionals that I was then fortunate to lead. I have a passion for cyber and have successfully designed and executed multi-million-dollar cybersecurity transformation programs.

Outside of work, I enjoy helping people in need and those who are less fortunate than myself. That makes me appreciate how blessed I am and helps put things in perspective.

2. What does your typical day look like and how do you make it productive?

My typical day starts by scanning through my emails and preparing a prioritized list of actions that I need to get through during the day. Once I reach work I try to go through the planned actions as best as I can in between various phone calls and meetings. I must admit, I don’t always get to finish everything in the plan for the day. Due to the operational nature of my job, I usually end up spending a lot of time addressing unplanned issues and problems. A productive day for me is one where I have closed all the planned actions for the day, and more.

3. How do you successfully create and lead high performance, multi-cultural and geographically dispersed global teams?

There are several factors that drive performance of a team. Right size, Trust, Diversity and Cultural awareness are some of the key factors. 

To have a high performing, multicultural global team, deliberate efforts are to be put in to build a team that is small enough for team members to know each other and build trusted connections and have diverse strengths that complement each other.

Team culture drives performance. Hence focus on building a positive team culture is important. One cannot teach a fish to fly. Therefore, acknowledging that people have different strengths, and focusing on assigning roles that are aligned to one’s strength is very important. I think this is the hardest one to manage, because as leaders you also want to help people come out of their comfort zones and stretch. There is no one right approach. What is right depends on what the mission of the team is. Clarity on mission is an important factor too. 

In my opinion, trust among team members is a foundation to a healthy work environment. There is no one way to achieve this. It’s the ‘hundred things’ we do that result in that outcome of a positive and trustful culture. Building a team culture where failure is accepted and not frowned upon is very important to build a culture of innovation. 

Research out there shows that a diverse team is more productive. When forming a global team, it is important to ensure that every member of the team has an appreciation for cultural difference. This is one area I have seen many good people struggle with. People tend to associate diversity with gender, but there is more to diversity than just gender. For example, diversity of strengths helps team members complement each other.

So, having a right sized, diverse team that has built trustful relationships, appreciates cultural differences, and have shared goals is the key to building high performance global teams.

4.Can you explain what global follow-the-sun IT operations is?

IT Operations is about “keeping the lights on” for critical IT systems. Operations roles are 24×7 in nature, meaning some people will have to work night shifts. In a follow-the-sun operation model a globally dispersed team will have members working during their regular day time. When they leave for the day, their colleagues on the other side of the world would have started their day and taken on the role. Global companies that have a presence in different time-zones around the world can take advantage of this possibility. Most people are more productive and alert during their daytime compared to night hours.  So, a follow-the-sun model allows us to have people working during their daytime, and be more alert and productive. This also helps with work-life-balance, as people can go home to be with their families during the evening, this enabling better quality of life, arguably.

5. What considerations go into designing and building a global Cyber Security transformation program?

Goal of transformation is to build a cyber-aware culture in the company where cybersecurity is seen as a business risk and have effective controls embedded into ways of working. Many companies still view cybersecurity as a technology problem as opposed to a business risk.

Understanding the priorities for the business and key risks that can impact the organization is the first step. There is no one size that fits all options for this, and the steps needed will vary depending on the maturity of risk management and the culture of the company. Developing a good understanding of business risks and the company’s strategic plans is the first step. Having conversations with key business leaders in the company to understand what keeps them awake at night so to speak is a good starting point.

If the company does not have an established enterprise risk management program, then that needs to be addressed as part of the transformation and must include getting management endorsement and alignment for an appropriate cyber risk appetite. Meanwhile, we can still make progress by focusing on a maturity-based approach and have a program that builds and matures controls aligned to an industry framework such as NIST-CSF. In my opinion, this is the best approach to take in the absence of a good risk management framework or culture in the company.

Next, we need to understand the key business processes that support that business unit, and associated technology and systems that support those processes. Effective cybersecurity is an outcome of people, process and technology working in tandem. As such, any cybersecurity transformation must include initiatives that address aspects of people and culture, assessments of process risks and technology risks around key business processes, and then establishing suitable controls. There are cutting edge cyber security technology solutions in the market these days. But they are only as good as the associated processes and the people and skills around it.

From a technology perspective, one should start by identifying key hardware, software components associated with business-critical systems. Efforts also need to be put towards identifying any regulatory compliance obligations. Almost always there will need to be a culture diagnostics and initiatives around improving the cyber awareness of the company’s workforce, including management.

Other typical considerations would include identifying key talents and their locations, sourcing decisions such as outsourcing vs insourcing. To ensure that the cyber program is based on deep risk analysis supported by cyber threat intelligence, a key component of an effective cybersecurity program these days is the need to build partnerships. Identifying who those partners are should be a deliverable of the transformation program. Other considerations include building frameworks to build new technology capabilities “secure by design” and ensuring operations strategies include requirements to maintain cyber hygiene of the IT landscape e.g. ensuring that there are requirements defined for patching product vulnerabilities.

Last, but not the least, the transformation program must build appropriate governance framework as well as a metric and reporting capability that allows business leaders to easily assess the cybersecurity exposure of their business unit. An effective metrics and reporting capability typically will include fit for purpose metrics and reports for different audiences, including board level reports. These metrics will need to be integrated to the organizations risk reporting framework with appropriate key risk indicators identified and reported. As risk management culture embeds and mature across the company, business risks need to be assessed to establish if a cyber incident can be a cause for that risk to materialize. This way the cybersecurity program evolves to be risk-aligned as opposed to driven by control maturity. It will still be important to ensure that the currency and effectiveness of controls are continued to be maintained.

A sustainable cybersecurity transformation will not happen overnight. It takes time and how long it takes will depend on the company, its culture and the level of management support and engagement in the program.

6. What technology do you use on a daily-basis and how does it make your life easier?

Not a lot actually. I rely heavily on a tablet device for most of my work email and calendar. I also use video conferencing and collaboration tools. I think there is an overdose of technology for the average person and there are so many fragmented solutions.

7. In the 28 years you have been in the Technology industry, what have been the biggest changes and how did you overcome these changes?

Many things have changed during that time. Industrialization of the internet and the evolution of mobile devices are a few. But the biggest change has been the approach to security. Back in the days, it was about securing the perimeter. Today there is really no perimeter. Data or identity is the perimeter today. There is also the evolution from traditional IT Security to Information Security to Cyber Security to now Digital security! Staying abreast with the evolution of technology trends and adapting strategies has been a continuous learning exercise.  So, the biggest change for me, was to evolve our approach to securing the business, when the threat landscape continues to change at a rapid pace. The other change is also the asymmetry of resources, with the evolution of new type threat actors, such as nation states.

8. What is the biggest challenge that you face in your career?

There are many challenges that come to mind. But the biggest I think is understanding what strategies would be appropriate to drive a culture of cyber-awareness in a global organization. Experience taught me that culture initiatives are best designed and delivered locally. A broad-brush global approach is unlikely to deliver expected results consistently across all geographies. Second challenge is keeping pace with the advances in technology trends and educating myself about it and any risks associated with it.

9. How do you motivate others on your global team that are not in the same geographical area as you?

Advances in technology these days have made it much easier to work seamlessly across geographies with video calling and other collaboration tools. Even then, not everyone is wired to operate at their best when working remotely. It does however develop over time for most people. Fostering a team culture that is sensitive to time-zone differences is an important step that builds an inclusive culture and supports remote team members to adapt easier. It is also very important for leaders to set the directions and empower remote team members to make their decisions required to execute locally in their locations, and not micro-managing them is key to developing trust and enabling remote team members. Also, having regular team routines to discuss key directions, strategies and ensuring remote team members are included in key decisions and clearly understand the rationale for actions taken is important to keep remote teams motivated. Effectively working remotely is equally challenging for the team leader as it is for the team members. One helpful tip that has worked for me is to use video calls whenever possible.

10. What is one piece of advice that has always stuck with you?

It is one I heard from a mentor about 20 years ago. He said everyone has good intentions and will try to always do their best. But often they may not always have the skills, knowledge or the right tools required. We can achieve great things as a team if we can help each other to succeed.

That advice stuck with me over the years and it helped me think outside of my own box and go the extra mile to help others in need and build trusting relationships. It has worked well in both work and personal life. A word of caution though -not everyone appreciates an offer of help. Some people can be demanding and have a sense of entitlement. This can be very hurtful. But that has never stopped me from continuing to help others. 

11. What advice do you have for anyone trying to build a career in Cybersecurity?

Start by understanding the business, key business priorities, challenges and risks. Focus less on tools. Be resourceful. Recognize that you will never have all the resources you need to get the job done. Pursue self-education opportunities. Always do the right thing, and never use your skills to do anything unethical.

12. What trends in your industry excite you most?

Artificial Intelligence and Machine Learning. When used ethically, I believe that these technologies have the potential to significantly improve the quality of life of people living with certain medical conditions. It could also help the sick and elderly people in our communities to live independently. I am also closely watching developments in quantum computing and how cyber security solutions evolve to face that challenge.

    Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

    You might also like...


    Meet The Women of The Blockchain: With Allison Clift-Jennings, CEO of Filament

    by Yitzi Weiner

    Charlie Kindel of SnapAV: “The invisible and ambient smart home”

    by Jason Hartman
    Patricia Ezechie Coaching - Surviving Burnout, Resilience and Wellbeing

    Surviving Burnout.

    by Patricia Ezechie
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.