The cyber security transformative urgency in many firms forces to look beyond traditional technology profiles
Cyber security has risen to prominence on the agenda of many business leaders.
Large firms have been struggling with it for decades in spite of significant investments in that space, but for many across the boardroom, the realisation has taken place over the past few years that cyber-attacks were simply a matter of “when” not “if.
In many organizations and industries where cyber security maturity has been low for decades, large scale transformative initiatives are shaping up, but in the current context of the global enterprise, with supply chains disrupted by the post-pandemic chaos, climate change and geopolitical imbalances, leading those initiatives and successfully delivering them requires a certain type of profile, which may be far from the profile of your traditional CISO.
First of all, we have reached a point in terms of urgency and complexity where successful cyber security leaders have to be trusted business insiders.
That goes way beyond the usual cliches by which the CISO “has to talk to the business in their own language” in order to paint security to them as an “enabler”. Those ships sailed long ago. Cyber security is now an imperative in the face of global and virulent threats that can simply take your business down. Period.
Business leaders want to be given assurances by somebody they can trust, that their activities are adequately protected in terms of prevention, detection, reaction and recovery. So cyber security leaders cannot be technology outsiders anymore; they have to be – and be seen as – experienced and trusted business leaders; it means understanding the day-to-day of the business, its real dynamics and challenges, and where the real pain points are for other business leaders.
That’s the basis of a common understanding on which trust will be built, and that trust platform is the only platform on which successful cyber security leaders can build the long-term foundations of any transformative efforts.
Second, cyber security leaders have to be good listeners.
That’s the other key ingredient they will need to drive a successful and lasting transformation.
Going back to the most basics of leadership, you are a leader when people follow you, and most people will follow you if there is something in it for them: Listening to the expectation of all stakeholders around cyber security, taking into account their constraints and their own priorities, and embedding those into the transformation roadmap is the best recipe to build endorsement and acceptance around cyber security transformative objectives.
Such acceptance, coupled with – and maybe born out of – the trust of business leaders, will form the bedrock on which the execution of the cyber security transformative roadmap can succeed.
But one final ingredient is also required: Time
Cyber security leaders have to be mid to long-term players and visionaries.
We see too many CISOs changing jobs after 2 to 3 years out of frustration, having achieved very little apart from kick-starting a number of technical pet projects. This is not transformative in essence and has contributed to the long-term stagnation of many organizations around cyber security matters.
Even on the bedrock of trust from business leaders and their acceptance of long-term objectives, real and lasting transformation across a field as complex and transversal as cyber security can only take time, in particular where initial maturity levels are low.
In large organizations, this could mean navigating across multiple business cycles while keeping priorities set on the same long term transformative goals.
Those are capabilities which come with experience and require significant political acumen, as well as the personal commitment and willingness of the cyber security leaders to stay the course (and the commitment from senior executives that they will be incentivised to do so).
Readers may notice that I have hardly mentioned technology or technical attributes so far.
Of course, cyber security has a technical dimension, but it is a common mistake to reduce it to a pure technical discipline, while the key challenges large organizations have been struggling with over the years are at its interface with business and support functions, in terms of cultural acceptance or priority setting.
In my opinion, we have come to the point in terms of transformative urgency in many firms where cyber security leaders have to rise above the traditional technical content of their role.
They have to be just that: Leaders, active, credible and audible across all corporate silos; not just technology experts.