There likely are hundreds of traits associated with great leaders. For starters, great leaders demonstrate honesty, integrity, loyalty and humility. They treat people fairly, and they consistently display good judgment. Great leaders tend to be highly intelligent, and they are confident and effective communicators with the ability to inspire others, especially when times are tough. They accept responsibility and value the hard truth. They are calm under crisis, empathetic, and often have good senses of humor. Based on these factors, great leaders are trustworthy, and they repeatedly earn that trust.
It will come as no surprise that each of these qualities also is important and perhaps essential when it comes to cyber security leadership. Yet, of all that is required, these traits may not be the most significant. Consider instead my Top Three: Strategic Vision, Passion for Coordination and Courage to Drive Culture.
There are few areas as broad as cyber security, where so many resources are committed with such an imperfect view of the scope of the problem and how best to define success. The first order of business is to establish the risk environment. In this regard, cyber security leaders must distinguish and prioritize between risks associated with their internal corporate networks, their outward-facing customer networks, any computer integrated manufacturing systems, those products or services that are enabled by computer chips, and finally the impact that vendors might have on each of these. There’s a big difference, for example, between protecting the Personally Identifiable Information of your employees and customers from hackers versus ensuring that the medical devices or fighter jets your company produces doesn’t contain malware.
Which leads to the second strategic issue: recognizing the breadth of the bad guy’s playing field. Threat actors can and do come from most everywhere around the globe, and they have motives ranging from making a profit to causing harm. They can attack our cyber security through any of four distinct vectors: through the supply chain (to include the design, manufacture, delivery, installation and updating of software and hardware); remotely (whether through network intrusion, drive-by download, email attachment or DDoS attacks); proximately (including, for example, using rogue wireless access points); and by insiders (be it a corporate spy or an unwitting employee).
The third strategic issue is to appreciate the varying degrees to which your company’s risk may be lowered either through threat mitigation, vulnerability mitigation, consequence mitigation or a combination of the three, not all of which are equally effective against different threat actors or activities.
It is only upon identifying and prioritizing company data, products and services; evaluating the methods and motives to harm them; and considering the return on investment of specific mitigation strategies to protect them that a cyber security leader can define and implement a meaningful vision. Significantly though, for a vision to be strategic it must mean more than a combination of well-designed policies and achievable programs. It must answer the questions, “What does success look like, and are these policies and programs likely to get us there?”
Passion for Coordination
When some people talk about their jobs, they say, “It’s not my work, it’s my passion.” Seldom, however, do you meet people who list coordination as one of their passions. Yet, that’s exactly what cyber security leadership requires, because the problem and the solution set are diverse and organizationally dispersed. The best cyber security leaders are inclusive, and understand the need not only to adopt the latest techniques for identifying malware, but also the need to assess technology procurement decisions, physical access controls, prioritization of key assets and services, legal compliance regimes and more.
For the federal government, the question had long been asked, “Who’s in charge” of cyber security? The answer was hard to come by. Finally it became clear, the true leaders were those who brought together multiple departments and agencies, determined all of their equities and capabilities, consolidated those into a national strategy and unified budget, and got approval from the President and Congress to move forward. It was through leadership through coordination.
Courage to Drive Culture
Although “You can have it all” makes for a catchy ad slogan, it’s a pretty lousy IT policy. Still, many employees consider it unacceptable to have “better” technology at home than in the workplace, or to be restricted from accessing certain websites from the office. Leadership requires the courage to press pause, and sometimes even to hit reverse. It is not necessary for a company’s most sensitive data to sit unencrypted on devices connected to the Internet, or for all employees to have access to that data. Instead, what is increasingly necessary is for leaders to step up and explain the business demands and cyber risks in such a way so employees appreciate, comply with and help achieve the strategic vision. That often requires the courage to drive culture, specifically a culture of security.
About the Author:
Steven Chabinsky is Chief Risk Officer and Senior Vice President of Legal Affairs for the cyber security technology firm CrowdStrike, where he advises the company and its clients on CrowdStrike’s incident response services, cyber intelligence products, and intrusion detection and attribution platform. He previously served as Deputy Assistant Director of the FBI’s Cyber Division.