Need of the Hour: An Effective Cybersecurity Leader
By Ashutosh Kapse, Head of Cybersecurity, IOOF Holdings
Ashutosh Kapse, Head of Cybersecurity, IOOF Holdings
In Australia, a number of initiatives have been launched by the Government. This includes the ASIC/ASX cyber security survey, creation of the Cybersecurity minister and strategy, and the enactment of Mandatory data breach regulation. Australian organizations are no different from their peers around the globe where cybersecurity has become the key risk of concern for Boards and executive managers.
Interestingly, some recent surveys have produced contrasting results. A Ponemon institute research showed that, amongst more than 400 organisations that were surveyed, 67 percent board members reported they had only “some” or minimal knowledge of cybersecurity. The same research suggested that 70 percent Board members were confident that they clearly understood security risks. When posed the same question to the technical staff, 57 percent IT Staff thought that their board did not have requisite knowledge to understand cyber risks. In another survey which polled nearly a thousand professionals in the US (conducted by ISACA) 82 percent boards recognised that cyber security is a business problem which needs the attention of the board. But in the same organisations, only 1 in 7 (14 percent) CISOs reported to the CEO and had a seat at the executive leadership table.
The research suggests that although visibility at board level has increased, requisite organizational structures (to support cyber risk mitigation) are still lagging. I believe that is a result of a combination of factors such as
a. Cybersecurity as a domain, being new, has no specific standard format to follow in terms of implementing structures and allocating responsibilities
b. There is an inherent shortage of resources and the problem is more exacerbated at senior levels
c. Lack of depth of cybersecurity knowledge at Board level
The apparent disconnect and a gap in trust needs to be closed if the cyber threat is to be tackled effectively. Organizations must realise that, in order to have a mature cybersecurity posture, they need transformational leadership in their cybersecurity area.
An executive/manager in charge of cybersecurity in an organization has the unenviable task of influencing the Board as well as impacting the security culture across the organisation
An executive/manager in charge of cybersecurity in an organization has the unenviable task of influencing the Board and the executive leadership group as well as impacting the security culture across the organisation. Cybersecurity leader does not necessarily need in depth technical skills, but certainly needs dynamic leadership skills.
What does transformational leadership in Cybersecurity mean?
If you are a Board member/Executive manager looking to hire a Security manager or you are a security manager looking to rise to the challenge, in addition to technical understanding of security, I would focus on getting/ developing the following skills.
• Great communicator and story teller: Only a great communicator can influence effectively at the board and executive level as well end users from various business units with varied amounts of technical knowledge.
• High Emotional Intelligence: A highly developed emotional intelligence is needed in order to foster enduring internal relationships with peers, business unit leaders, and technical staff. EI is a critical trait as it will influence collaboration, teamwork, crisis management, and more.
• Big-picture thinking: “Being able to see the forest for the trees…..” A security manager usually comes from a technical background and technical engineers are very good at focussing on the minutiae which is necessary to solve technical problems. Security on the other hand is very much connected with being able to see the bigger picture and the context. Security leader needs to have a big-picture thinking to be successful.
• Business Acumen: A security leader has a very important part to play in business planning, strategic planning, and ensuring security and risk is built into all business processes. Most importantly the person needs to be able to frame security challenges into business opportunities, ultimately, security leader need to balance dollars with risk.
• Ability to lead cultural change: Organizational culture sets the tone, the framework, and the operational context for security to operate. Implementing a mature security posture has a lot to do with successfully leading culture change in an organization. Ultimately security leader must create a positive security culture.
• Personal integrity: For the security leader the foundation of success is built on how he/she can engender trust of various parts of the organisation in the security processes and security programs being put in place. Trust starts with the security leader and hence he/she must exhibit greatest of personal integrity in everything the person says and does.
• Execution- Ability to get things done: Security leader must be results oriented. At the end of the day, soft skills and communication and integrity and EI are all good, but the security manager must have the ability to execute and complete tasks and projects successfully. Security leader must find ways to say “yes” to internal stakeholders and make security an enabler and not a roadblock.
• Be a team builder: Good leaders build good teams. The security leader needs to be a “servant leader” and build a team of specialists with multi-dimensional skillsets and attracting the best talent to the organisation. Successful security program needs people with right mix of talent, technical skills and interpersonal skills working as a cohesive unit.
