Cybersecurity professionals often come from very technical backgrounds. It is imperative that these professionals understand all the areas of technology: operating systems, networking protocols, architecture, applications and databases. At some point many of these professionals achieve leadership roles. A cybersecurity leader must be able to rely on that technical acumen to enable the business goals while mitigating risk. In short, they must be able to translate the technical and understand the language of business. This article provides some advice on leading a Cybersecurity Program.
As a security leader, the individual must be able to link the program with the organization’s mission. They need to know what the pillars of success are for the organization, and how cybersecurity interconnects.
A great example from healthcare is the pillar of patient safety. Biomedical devices connect to patients to read blood pressure and their pulse, but they also deliver medicines and monitor embedded medical devices. Security risks to these devices are not simply dedicated to data security, but to patient safety, as a criminal hacker might interfere with the life sign readings or modify the medicine dosage. In industrial control systems for example, a hacker might change the flow pressure of an oil rig or shut down a section of a power grid. The aforementioned risks surpass pure data security and involve more dangerous, life threatening hazards.
To build a successful program, cybersecurity leaders must build relationships across the organization, especially at the board and C-level. To build trust, they must make their credibility known by establishing their expertise and why are they in that position. This leader cannot be too humble – to build trust it is important that the organization understands that this leader knows what s/he is talking about and can execute to minimize important risks.
A key way to build trust is to measure the effectiveness of the program and be able to present the meaningful metrics. These metrics should demonstrate that the program is moving the organization in the right direction, continually reducing risks, and complying with relevant regulatory requirements. The cybersecurity program must be business driven with a vision that aligns with the organization’s mission. The cybersecurity leader must be able to present and discuss that mission in a way that non-technical leaders will understand the potential impacts to the business and buy into key risk mitigation efforts.
In addition to trust, the cybersecurity leader must create a tone and culture. Culture is a critical aspect of a program’s effectiveness. Only so much technology and technical controls can be implemented. There is no technical control for a user’s brain. We must set a tone which is conducive to training our users as best as possible to do the right things. A great example of this is phishing. We cannot block every potential phishing attack. However, we can educate our users on the normal indicators of phishing within email. We can test users with benign emails, providing them the opportunity to practice what they have learned. Over time, users will begin to pause when opening an email. They will be better at spotting potential indicators of phishing and won’t be so quick to click a link or open an attachment. In terms of metrics, the rate of reporting of suspicious emails is a great indicator to show that your training is effective.
As cybersecurity leaders, it is imperative to build partnerships within the organization: compliance, legal, human resources, physical security, as well as the chief financial officer, the chief operating officer, the CEO and the Board. A partnership is critical as those executives are directly responsible for key areas of concern as well as budgeting for the cybersecurity program. Having an accomplished, capable and trusted leader over the cybersecurity program should be important for all these stakeholders. We must show them that we understand their business goals, associated concerns and build that into our programs.
As cybersecurity leaders, it is not our job to say “NO” but to look for ways to enable the business, securely. If we haven’t built those relationships and trust, when we do find risks, it will be much harder to try to influence the organization towards mitigation or avoidance of these risks. If you are a trusted partner, those executives are more likely to trust your judgement. And that means we must build our programs on mature risk management.
Everything we do in security is risk management, from installing anti-virus to setting up a firewall. We must expertly craft a program that can assess, identify and mitigate risks, while still allowing the business to operate and do things that might be risky. Risk management should be the pillar of your entire security program.
As cybersecurity leaders, we can no longer sit in the “basement” and avoid personal contact. We must have a seat at the executive table. We must be the face of cybersecurity, concerned not just with pure security protocols but business aspirations. We must be able to understand the business goals and work to securely enable them. By doing this, you demonstrate that you are a partner, a fellow business leader concerned with the success and growth of the organization. Security is a business enabler, and the right leader can add tremendous value to an organization.