Companies Need to Rethink What Cybersecurity Leadership Is

Cybersecurity continues to be a back-office job; companies need to put cybersecurity where it belongs, with organization leaders.

By Mathew Doan
February 18, 2020

For businesses today, cyber risk is everywhere. Yet for all the investments companies have made to secure their systems and protect customers, many are still struggling to make cybersecurity a vibrant, proactive part of strategy, operations and culture. The root cause is twofold: Cybersecurity is treated as a back-office job, and most cyber leaders are ill-equipped to exert strategic influence. Given that a cyber leader’s average tenure is just 18 months, it’s clear that something needs to change.

Historically, companies have expected chief information security officers and security chiefs to focus on technical tasks. Today’s cyber leaders must be able to embed security throughout the company’s operations, rapidly respond to threats and influence fellow senior leaders. In short, they must be able to lead. And that means companies need to hire and develop security executives who have the skills to do so.

It’s time for boards and C-suite executives to reset their expectations of how cybersecurity is positioned and what a cyber leader is. Research being run by New America (where I’m a cybersecurity policy fellow), paired with my observations from dozens of consulting engagements, suggests a framework for what business leaders must do to spur cybersecurity success:

Set your intent with cybersecurity strategy: There are a few primary options that companies should consider building their strategy around: business continuity, brand protection, compliance and bottom-line growth. Your business context will drive your choices; you’ll want to think about factors like regulatory pressure, risk exposure and what customers value. The chosen strategy will cascade down to operational activities, which will then drive business outcomes.

Position the cybersecurity function to have influence: Location, authority and incentives are all important elements defining a team’s influence. It’s easy to default to slotting cybersecurity within the information technology function, but putting IT operations and security under the same roof, and on the same budget, can create problems. Before deciding where cybersecurity will sit, determine the types of influence you want it to have.

Get the right cyber leader for your needs: Boards and C-suite executives should prioritize mindset over technical skills when they’re considering and evaluating cyber leaders. Looking at what successful cyber leaders do, some characteristics jump out, such as having an expansive worldview, understanding how neuroscience can improve leadership, being eager to empowering others and having a voracious hunger for learning.

The suggested framework can help mitigate business risk, reduce friction with regulators, lay guardrails for technology and security, and increase competitive advantage. Making tangible progress requires substantial top-down initiative from a company’s leaders — otherwise the inertia is too great, and cybersecurity remains a back-office, non-influential activity.

We’re now beyond cybersecurity’s “whack-a-mole” past of addressing one-off vulnerabilities. The function can — and should — be an essential ingredient to business success. But for that to happen, executives need to embrace their role in embedding cybersecurity across a company’s entire landscape and developing the right leaders to make the function thrive.

Copyright 2019 Harvard Business School Publishing Corp. Distributed by The New York Times Syndicate.

Topics: Leadership Technology

Why Likable Leaders Seem More Effective
Breaking Down the Barriers to Innovation