By: Michael Anaya, Head of Attack Surface Analysis at Cortex for Palo Alto Networks
In today’s day and age, leadership is pivotal but often overlooked in cybersecurity. But why? I propose it is the belief that an executive cybersecurity leader, particularly the Chief Information Security Officer (CISO), should be very technical, to the point of being a skilled practitioner. I recommend you take another look at the issue and tackle it from a different angle, with more focus on one’s proven leadership ability. How do you do that? You evaluate cybersecurity leaders differently. Let’s look at three ways to assess executive cybersecurity leadership, listed in the order of importance.
1. Ability to Lead
First and foremost, does this person possess the ability to lead and galvanize a team around a cause? Can they build a team? Can this person orchestrate an effective defense posture against an attack? These are all questions you should be asking. Not, “Does this person have the technical know-how?” Don’t get me wrong, having a technical proclivity is important (so much so, it made my list in the 3rd slot), but it takes a back seat to leadership ability.
Whether it be a persistent nation-state threat that is years and millions of dollars in the making or a brazen fraudster targeting your less savvy users, the threats are ever-present and constantly evolving. Due to this fact, one person can’t solve all of the issues independently; they require a team of people, hence necessitating finding someone who can effectively lead your cybersecurity team.
There are countless leadership theories in play. An article in Harvard Business Review covers six fundamental skills every leader should practice. Start here. When you are evaluating your next cybersecurity executive, determine if the person has those six skills. If the applicant does, you have a viable candidate.
2. In Line with Organizational Culture
The next question should be: “Does this person fit our organization’s culture?” Keep in mind, this is not a debate of what your company culture should be, or what it could be, but what it is today. Suppose you are looking to change your organizational culture for the better, that is another conversation (but a worthy one). For this article, let’s assume that is not a factor.
A common fallacy is if a person is successful in one environment, said person will be successful in every environment. This is a common misconception. This is why you see NCAA college football coaches lead one team to a National Championship but struggle when they shift to another program.
Finding the right leader that can complement the existing team is often overlooked. An article by O.C. Tanner covers this in far greater detail. Simply put, leaders set the tone for organizational culture. They can make or break it. Having your cybersecurity leader in line with your organization’s culture is critical.
3. Technical Proclivity
Finally, you need your executive cybersecurity leader to have a technical proclivity. The leader has to understand the technical cybersecurity challenges the organization faces today and in the future.
This could take on many forms. They could have spent years as a software engineer, network administrator, database administrator, or other technical but non-cybersecurity roles then promoted into leadership. The person could have even been a computer science professor, jumped into the private sector, risen the ranks, and is now a top candidate for a CISO role. There are countless other scenarios, but in all of these situations, the person has shown a propensity for technical thinking.
Now, the person in question needs to have experience in cybersecurity in some capacity. That might mean they led a cybersecurity team, built a cybersecurity program, or obtained various cybersecurity certifications. However, you don’t need 30 years of cybersecurity experience with multiple certifications to do the job. Remember, the primary focus should be on the person’s ability to lead. That person will build and lead a team consisting of others who specialize in all the needed areas that are warranted, given your organization’s threat landscape.
Today, if every organization focused on these three areas when selecting their next CISO, they would be far better protected against cyber threat adversaries. Remember, one person can’t do it alone, which is why you need someone that can build a team, but not just an internal team. They will need to develop partnerships, build collaborations across industries (even spanning into the public sector), and involve outside experts. There is too much on the line in today’s cyber, threat-ladened world for anything less.