What Kind of Cybersecurity Leader Are You? Advice for CSOs and Others

Just ask most CSOs, and they will tell you they have ambitions to join the board as a key advisor. It's in times of crisis that as CSOs we can either shine or hide away. We shine when we show that we are in touch with business drivers and are ready to adapt and evolve with the business, but still see the bigger picture. This is what a board advisor does. 

Savvy CSOs have in their back pocket the list of things they wish they could do but the business simply isn’t going to fund today – some of which we would consider fundamental. For example, we may wish to deploy new Next-Generation Firewalls as the old ones in place are past their sell-by date and creaking at the seams. Other ideas are even more forward-looking. For example, CSOs may dream of trying to get ahead of future issues for the business by setting up visibility for the popup DevOps projects they know are happening. Sometimes, the business doesn’t yet see the risks involved with these projects, and so it can be difficult to validate the investment in securing them. The simple and honest reality that any savvy CSO knows is that crisis typically opens the budget strings, but you have to be ready to move at short notice.

Today we see a shift due to COVID-19, which has led to more remote users requiring more remote access to business resources. Video conferencing is clogging up networks. Servers are straining under the volume of remote requests all coming in at the same time.  As a result, cloud transformation projects are being accelerated to meet the capacity needs. I suspect that in some cases, GDPR policies are being broken, as access requirements to data are having to change on a dime to ensure the business continues to function. When eventually the crisis subsides, the new norm for work, I believe, will likely be a hybrid of the remote worker and the way office life was prior to COVID-19. Hopefully, we will maintain the better parts of the work-life balance that technology enables and circumstances have temporarily enforced.

As such, my prediction is that the long-term business digital risk profile will look different. This means that what we do now during the current crisis can and should be the foundations for the longer term cybersecurity strategy of the business. But we must be agile and adaptable. Change happens in challenging times. There’s often a common sense, business-like status quo – and crisis challenges it. We typically only make seismic shifts when they are forced upon us. 

As leaders in the digital space, we are used to dealing with both binary zeros and ones and shades of infinity. The current moment is binary. You’re either a CSO who is prepared for a crisis and uses it as an opportunity to shine, or you’re not up to the challenge. If you’re shining, you’re ready to move your own department’s agenda forward to better secure the business, which means quickly adapting and shifting to address short-term business needs, but also ensuring that what you do has longer term value, so you don’t lose sight of the longer term strategy.  

Some years ago, I did some psychology training around what is known as provocative therapy. Its goal is to challenge the stuck state we all so easily fall into. This can be rooted in phobias, fears or simply our perceptions of what is normal. If you haven’t explored this, it's good people skills development. 

Find the time to have a team call and challenge your own team on what the future will look like. Are they in a stuck state? Do they need prodding to change their beliefs? If they are telling you things will go back to how they were before, you need to provoke them some more. Quite simply, I would challenge them with the idea that there is no going back – that is part of digital evolution, how societal situations shift our perceptions and therefore the realities behind them. Remember, everyone on your team is an ambassador of how cybersecurity empowers the business.

Work with your team to ensure you’re moving forward, rather than failing to address the current changes. It really is that binary. Ask yourself which kind of CSO are you and what are you doing to prove that to the business teams you work with and support. 

Takeaways:

1. Always have your wishlist ready to go. Consider how it aligns to your organization’s goals, both short-term and long-term. Look for signs of shifting priorities. A crisis is one clear example of this.
2. When crises occur, consider how you identify the changes they bring to your organization’s risk profile. What are the timescales in which the business demands this insight?
3. As you go through any crisis, take time to consider the lessons learned. How do you apply this to your longer-term strategy?
4. Look out for the seismic shift. We are in one now, and I’m sure it won’t be the last. However, I really hope future shifts aren’t as negatively impactful on society. When seismic shifts happen, ensure you are ready to step up. Adapt, but also be prepared for the long-tail changes these shifts bring to how we work digitally so you can get ahead of the business risks. 
5. Use this as a time to gather your own team and challenge their perceptions and beliefs. Spend some time helping them consider how this impacts their roles and the business around them.

Read more of Greg Day’s cybersecurity insights.