Cybersecurity Leadership in a Transforming World
Cybersecurity Leaders reside in an exceptionally important role to ensure that an organisation, and the digital economy as a whole, can survive and thrive as it pursues new opportunities and creates never-before-seen value in the world. They facilitate innovation and growth on one hand and people’s rights and safety on the other.
That’s what differentiates a Cybersecurity Leader from a Technician: it is the bigger view, that we are all called and positioned to make decisions and take actions that are so much bigger than ourselves, or systems, or our organisations.
Five Core Beliefs
As a Cybersecurity Leader, I have five core beliefs about cybersecurity that guide me and how I lead:
1. We can do this. There is reason for the hope that we can get ahead of the cybersecurity puzzle. There is a path, a process. And if security for an organisation is a process, then it is a process for people, too, including security professionals. We will never be secure, but we can be securing effectively.
2. Security, like safety, is an emergent property of a system. We could secure each technical element in the technology stack, but we will not have secured the system. An oft-overlooked element to each and every system is the people. The systems we are securing are inherently social-technical, which means that the people and the processes, as much as the technology, must be aligned in purpose for the system to become secure.
3. Threats are omnipresent. Every device connected to the Internet is at every moment attacked by multiple, unrelenting, independent, and unrelated threats all the time. In this type of situation, the specific threats no longer matter. Like a deep-sea submarine, organisations operate in an inherently hostile environment. The focus should not be on how dangerous water can be, but rather on the ability of the submarine and its operators to get the job done and safely. The same goes for organisations.
4. A Cybersecurity Leader’s job is to align cybersecurity and the business with each other. Both the technical teams and business leaders need to support each other to ensure that there is alignment between people, processes, and technology, and the business culture, strategic goals, and available resources. Only when there is alignment does security emerge from a system, a department, or an organisation. The Cybersecurity Leader is the catalyst for this alignment.
5. Cybersecurity Leaders require faith in the future. While the organisation can never assume that it is doing everything properly and that it has solved the cybersecurity puzzle, it has to function as though it is solving it. It is that optimism that needs to be communicated at all times. The optimism that we can do it.
What We Need
Unfortunately, many cybersecurity professionals are pessimistic, with all-or-nothing mentalities, a dogmatic sense of compliance, and a focus on technological elements and the latest threats. That gives the profession an impression of being a group of inflexible technicians who are out of touch with what the business needs, at best, and a barrier to success, at worst. The “Department of No!” instead of the “Department of Go!”.
What we need are Cybersecurity Leaders who see the bigger picture, who adopt systems-level thinking, and who can align technology with the purposes for which that technology was employed. Yes, we need more people with more technical skills. A lot more. But that will only address the technology specialism part of the puzzle. The rest of the puzzle is people management and business management. And you do not need to be a cybersecurity expert to tackle that puzzle. Until technology, people, processes, culture, strategy, and resources align towards a common goal, we will forever be firefighting and instead of building a secure and vibrant digital future.