Cyber risks have taken center stage in the corporate world. It is estimated that more than 80 percent of organizations have now included cyber risk as one of the top five risks in their risk register. Cyber security has become a key concern for boards and executive leadership.
Recent surveys and research suggest that although visibility at the board level has increased, requisite organizational structures (to support cyber risk mitigation) are still lagging. I believe that is a result of a combination of factors:
1. Cyber security as a domain, being new, has no specific standard format to follow in terms of implementing structures and allocating responsibilities.
2. There is an inherent shortage of resources and the problem is more exacerbated at senior levels.
3. Depth of cyber security knowledge is lacking at the board level.
The apparent disconnect and gap in trust needs to be closed if the cyber threat is to be tackled effectively. Organizations must realize that, in order to have a mature cyber security posture, they need transformational leadership in their cyber security area.
An executive/manager in charge of cyber security in an organization has the unenviable task of influencing the board and the executive leadership group, as well as impacting the security culture across the organization. The cyber security leader does not necessarily need in-depth technical skills, but certainly needs dynamic leadership skills.
What are the skills required for cyber leadership?
If you are a board member/executive manager looking to hire a security manager or you are a security manager looking to rise to the challenge, in addition to technical understanding of security, I recommend focusing on getting/developing the following skills:
- Great communicator and story teller: Only a great communicator can influence effectively at the board and executive level, as well as impact end users from various business units with varied amounts of technical knowledge.
- High emotional intelligence: A highly developed emotional intelligence (EI) is needed to foster enduring internal relationships with peers, business unit leaders and technical staff. EI is a critical trait as it will influence collaboration, teamwork, crisis management and more.
- Big-picture thinking (being able to see the forest through the trees): A security manager usually comes from a technical background, and technical engineers are very good at focusing on the minutiae which is necessary to solve technical problems. Security, on the other hand, is very much connected with being able to see the bigger picture and the context. Security leaders need to have big-picture thinking to be successful.
- Business acumen: A security leader has a very important part to play in business planning, strategic planning, and ensuring that security and risk management are built into all business processes. Most importantly, the person needs to be able to frame security challenges into business opportunities. Ultimately, security leader need to balance dollars with risk.
- Ability to lead cultural change: Organizational culture sets the tone, the framework and the operational context for security to operate. Implementing a mature security posture has a lot to do with successfully leading culture change in an organization. Ultimately, security leader must create a positive security culture.
- Personal integrity: For the security leader, the foundation of success is built on how he/she can engender trust of various parts of the organization in the security processes and security programs being put in place. Trust starts with the security leader, and hence he/she must exhibit the greatest of personal integrity.
- Execution/ability to get things done: Security leaders must be results-oriented. At the end of the day, soft skills are all good, but the security manager must have the ability to execute and complete tasks and projects successfully. Security leader must find ways to say “yes” to internal stakeholders and make security an enabler and not a roadblock.
- Be a team-builder: Good leaders build good teams. The security leader needs to be a “servant leader” and build a team of specialists with multi-dimensional skillsets, attracting the best talent to the organization. Successful security programs need people with the right mix of talent, technical skills and interpersonal skills working as a cohesive unit.
Editor’s note: Ashutosh Kapse will be presenting on “Culture & Leadership – Key to Cybersecurity” at ISACA’s 2017 Asia Pacific CACS conference, to take place 29-30 November in Dubai.
Ashutosh Kapse, Head of Cybersecurity, IOOF Holdings Australia
[ISACA Now Blog]