Cyber security is an ever-changing and important part of any business. However, boards often don’t hire cyber security professionals who understand the risks or the technology as CTOs and CIOs. These roles often go to accountants or candidates with corporate backgrounds that have no knowledge of technology or cyber security. Yet this is the biggest mistake any organisation can make. The ‘cyber leader’ will set the tone for the entire organisation and having a good one can help an organisation in the following ways.
Retention of technical staff
Retention among technical staff is notoriously poor, with even CTOs having an average tenure of just 14 months. It is important that the cyber leader has strong experience in the industry because if your cyber employees do not feel that they have a competent leader, they will not be inspired to stay and make things better. It is a candidate’s market and there are always other places for cyber employees to go. So, as a cyber leader you should be constantly focused on the morale and satisfaction of staff.
Effective risk management
Strong cyber leaders have a very good technical understanding of risk management and current threats. Companies that are trying to mitigate risk will always have a better chance of doing so if the cyber leader can predict what is going to happen and see the costs as investments rather than outgoings. Sometimes the cost of a new program or approach can be seen as prohibitive to an organisation, but the cyber leader should look beyond to the long-term benefits and make an informed decision based on risk versus reward. If the leader is not ‘informed’ or experienced, it is more than likely they will make the wrong decision and fall back on their financial training which would suggest they should not spend the money.
A good cyber leader will embed Information Assurance (IA) and cyber security at every level of an organisation. They will make security everyone’s collective responsibility and the result will be a force multiplier for the organisation. When security and IA are considered either during a project build phase, or worse, at the delivery point to go through a compliance gate, organisations run the risk of the project not being compatible with their cyber security needs, and so have to begin designing again. Unknown security requirements will be raised which force the organisation to either ignore them or stop and rework. Either option is going to increase cost through lost time and effort, or through the inevitable security breaches that will follow once the system goes live.
We live in a world where not a week goes by that we do not see a large breach of a well known service. Often millions of personal records are lost from one data breach. At best the reputation of the company is badly damaged, and fines need to be paid. At worst, the company will cease to exist. If a security culture is not adopted within an organisation, breaches will occur, and the fallout can be catastrophic.
With this considered, a cyber leader must be able to communicate the risk and reward model to the rest of the board and share more widely throughout the company. It is important that everyone in an organisation understands the key risks they have to manage, and how the organisation intends to approach them. One of their key attributes is the ability to communicate with their technical staff on their own level. Furthermore, they must be able to foster a culture of security within the entire organisation by making IA and cyber security part of the “DNA” of the organisation.
Companies can succeed against threat actors that wish to do them harm by making security everyone’s responsibility, and everyone at the organisation should look to improve their own security while at work. Cyber leaders should look at standards as a minimum and strive for a higher bar. The criminals are also looking at those standards and know what companies will be doing to meet them.
Organisations need good cyber leaders to say no when appropriate, and help stakeholders understand what needs to change. As the cyber leader they are the expert and know the importance of a good cyber security strategy in the landscape of the company. Being aware and reactive to cyber threats is vital to the success of modern companies and assigning a knowledgeable cyber leader can save companies money and improve their reputation. It is important, now more than ever, to have a cyber leader at the top table, guiding the overall strategy.