3 Steps to Effective Cybersecurity Leadership
Photo by Adi Goldstein on Unsplash
The year 2022 was an eye-opening one for security threats, as revealed in Cisco’s latest report on cybersecurity. Some of the revelations of that report include:
- 70% of organizations had users who were served malicious online ads.
- At least one user tried to connect to a phishing site in 86% of organizations.
- And 50% of organizations encountered activity related to ransomware.
Making matters worse, there is currently a personnel shortage of cybersecurity professionals. Whereas Big Tech stunned the world with tens of thousands of layoffs in December and January, the cybersecurity sector lacks people to fill jobs.
Lack of personnel = lack of leaders. And someone is going to have to pick up the ball.
Cybersecurity leadership is challenging in itself. Handing the reins to someone who doesn’t have the aptitude for leadership in general makes a problematic situation virtually impossible to navigate.
Although cybersecurity incident numbers have skyrocketed, corporate leaders still seem to be mainly in the dark regarding the needs of a cybersecurity team.
The good news is that this can be solved. Let’s take a look at how to do it.
Triads in cybersecurity
The triad is not a new concept in cybersecurity. The cybersecurity triad is commonly understood to mean:
- Confidentiality: Making sure that sensitive information is kept secret and only accessible by authorized personnel.
- Integrity: Protecting against unauthorized changes to data and ensuring that information is accurate and trustworthy.
- Availability: Ensuring that information is accessible to authorized personnel when needed and that systems are available for use as required.
It is also commonly known as the CIA triad.
The SANS™ Institute, a cybersecurity training facility, expanded the concept of the original triad and came up with the triad for cybersecurity leadership, which encompasses:
- Technology
- Strategy
- Culture
The cybersecurity leadership triad
The cybersecurity leadership triad provides a comprehensive framework for cybersecurity professionals to achieve effective cybersecurity leadership.
Technology
Step one of the triad is the effective use of technology to drive change. This step would require an entire book in itself to be adequately described. If you would like to dig into every element of this step, we recommend checking out the SANS cybersecurity leadership training program.
But if you need just the essence of it, we’ve put that together below.
The technology step consists of the following:
- Reducing information risk through proper use of security measures.
- Pioneering cutting-edge security initiatives in the organization.
- Properly organizing your security program and personnel.
- Establishing security features that support business operations.
Several standard programs exist to implement the necessary security measures. For example, the NIST Cybersecurity Framework (NIST CSF) is a voluntary framework created by the National Institute of Standards and Technology (NIST). This framework helps organizations manage and improve their cybersecurity posture.
And then, there is ISO 27001 — an infosec standard published by the International Organization for Standardization (ISO) that helps organizations maintain and improve an ISMS (Information Security Management System).
And there are likewise other frameworks for risks, threats, and control.
Strategy
The second element in the cybersecurity leadership triad is strategy. To achieve this, a cybersecurity leader should:
- Formulate a comprehensive security plan and blueprint.
- Gain support and commitment from all organizational levels.
- Construct persuasive presentations for top leadership.
- Develop security policies and procedures.
- Align with business goals.
- Deal with legal and regulatory threats.
Some of the tools that exist for this are:
- Security roadmaps: A plan of action for improving an organization’s security.
- PEST (Political, Economic, Social and Technological) Analysis: a tool to assess macro-environmental factors.
- Using a WIIFM (“What’s In It For Me?”) approach when presenting to leadership.
- Referring to business budgets to ensure plans are within the business’s goals.
Culture
The final step for long-term, positive cybersecurity transformation is to make cybersecurity part of the company’s culture. Only by bringing cybersecurity into the culture itself can companies onboard every user and start to reduce the hit rate of sophisticated, highly targeted attacks.
By creating a cybersecurity culture, cybersecurity leaders can transform the attitudes and practices of both executive and lower-level employees, thereby achieving true cybersecurity transformation.
To achieve company culture changes, cybersecurity leaders should:
- Establish a lasting cybersecurity culture.
- Promote sustained organizational change.
- Enhance the efficiency and outcomes of security efforts.
- Guide, motivate, and inspire teams to implement and enhance the security plan.
- Construct a comprehensive security awareness initiative.
Some of the methods to achieve these changes include:
- The ADKAR Model (short for Awareness, Desire, Knowledge, Ability, and Reinforcement): A goal-oriented change management model developed by Prosci, Inc.
- Understanding the “Curse of Knowledge” — a phenomenon where people with intimate knowledge of a subject struggle to explain it to others.
- The circle of trust — a concept that encourages people to rely on each other in a close-knit group. This is a powerful tool for building business relationships.
And many, many others.
Cybersecurity isn’t impossible
As we mentioned earlier, there is an entire course on this subject. And anyone hoping to achieve cybersecurity transformation in their organizations should consider doing it.
But the takeaway is that it can be done. Taking on a cybersecurity role at a company shouldn’t be only about implementing a few strategies and then calling it a done. It should encompass the three major steps of transformation so that everyone is on board by the end of the culture step, and the organization is in a much better cybersecurity posture than when it started.