One of the biggest problems I have seen in security leaders is a total lack of confidence. Many feel that they have 'blagged it' into their roles. They admit that they have a loose idea of what to do (based on the perfect world of the cert industry) but no idea how to do it. Plagued by doubt, they cling to compliance or IT shit that they at least understand. This doesn't do anything for their confidence as they realise that it's all imperfect. Does that sound familiar to anyone?