Role of the Cyber Leader in Times of Crisis

by hr forhad

As we face this global pandemic together, we are witnessing some truly great leaders in action. Simultaneously, this situation is revealing some truly unprepared leaders and cybersecurity leadership curriculum is more important than ever.

In this unprecedented time emerging leaders can learn what it takes to be truly great; from those leaders succeeding and from those struggling. One lesson (hopefully) being learned is that successful leadership is grounded in preparation for the change, not based solely on the reaction to the change. Cybersecurity leaders have perhaps learned this lesson more than other business leaders over the years. To understand why, a bit of background is important.

The Background: From Risk Manager to Cyber Leader

The role of any cybersecurity leader is to enable business operations while preparing for the prospect of risk. Part of this work is ensuring business continuity when a risk becomes realized. Not too long ago, cyber threat was not a risk. At that time, the focus of risk leaders was enabling business continuity if and when a natural disaster like an earthquake, tornado, hurricane, or even a pandemic threatened daily operations and services to customers. Additionally, there has been the need for risk leaders to mitigate against negative implications from physical risk, theft, and the occasional sabotage. Due to the advancement of technologies, how work is conducted, and user expectations, the risk leader and business managers realized the need to ensure preparedness and response to privacy threats that now include compliance protocols such as HIPAA. Extending responsibilities even further, they have become focused on threats against networked devices and personal devices connected at work and at home, including socially mobile applications and cloud-enabled solutions, as well as the Internet of Things. All of this responsibility describes the cybersecurity leader today, not the forecast of what’s next.

Along the journey, the evolution from risk manager to chief information security officer (or trust officer or privacy officer or the like) occurred and became the leadership role that is to help protect and defend against what the National Institute of Standards and Technology (NIST) refers to as the “world of threats.” This includes everything noted above and more, such as website defacement, cloud-based data storage, defending denial of service attacks, data scavenging attacks, wireless sniffers, unauthorized user access, any compromise of mission-critical information, and specific attacks including phishing, malware, eavesdropping, AI-powered attacks, and generally speaking, people. All that to say, a lot has changed in a relatively short amount of time—and certainly more change is on the horizon.

Just a couple of years ago, no one was forecasting 2019 to be “The Year Ransomware Targeted State and Local Governments,” but that is exactly the label placed on last year, according to GovTech magazine. Thinking back on the year, you will likely remember that the Louisiana state government declared a state of emergency after a cyberattack. New Orleans did the same after their attack. Twenty-two towns, cities, and counties were hit with a sophisticated coordinated ransomware attack in Texas. Of course, there was the now-famous hostage situation of the city of Baltimore due to a ransomware attack. Two cities in Florida were also held hostage within a week of one another due to ransomware, and big payments were made. The list goes on and because of the level of such disruption to government business—and the fact that two-thirds of all ransomware attacks in 2019 were targeting state and local government—CISA, MS-ISAC, NGA, and NASCIO came together in July 2019 to broadcast the list of three critical recommendations regarding cybersecurity: (1) Back up your systems daily, (2) Reinforce cybersecurity awareness and education, and (3) Revisit and refine cyber incident response plans. A great list for any cyber leader, but as the great leaders know, there is a capability gap between knowing what to do and how to do it—how to align people, processes, and technologies to get it done and to be prepared.

Aligning People, Processes, and Technologies

To address the growing needs of business (since the 1970s), cybersecurity has risen through the hierarchical ranks to earn a place at the executive table within many organizations. Components of modern cybersecurity can be found in the disaster recovery planning for physical infrastructure, such as roads and bridges; in business continuity and security planning for manufacturing organizations; and in the first versions of internet virus and malware mitigation strategies, which is where cyber was added to risk and security management. Today cybersecurity encompasses an ever-expanding collection of connected services, emerging technologies, application tools, and undefined or unseen threats that can destroy an organization with the click of a mouse. The modern cybersecurity officer must ensure privacy compliance and auditability, network capability, cloud everything, social apps, team apps, personal apps, organization data on personal devices, and support an increasing array of complexity.

Today’s cybersecurity leader must also understand how and where cybersecurity fits into the overall organizational structure, where to say yes and where to say no, without always defaulting to no. Moreover, a cyber leader needs to be proficient in budgeting, balance sheets, human resources, project management, and other organization processes or functions in order to craft the story that conveys how cybersecurity enables every other organization function and to secure the necessary funding to make the security magic happen. In other words, cyber leaders must understand the business from their business partners’ (and users’) perspectives in order to best align people, processes, and technologies that enable their work in protecting and defending the business. This also means that cyber leaders must be able to speak the language of the executive team, board, and customer. It’s a foundational element to translate security and other IT “geek-speak” into words, concepts, and connections that people outside of the cyber professions can understand and use to make decisions on defending and protecting by supporting the funding, process, capability, capacity, and interoperability needs of modern interconnected organizations.

 

 

Related Posts