Cybersecurity Leadership: The Keyboard is Your Front Line

By Rich Bates | CRISC | GSLC | Cybersecurity Program Manager, Former CIO, Zeiders Enterprises, Inc.

As a Cybersecurity leader, especially in the Federal and DoD contracting world, you know the drill. The contract stipulates that you must have annual Cyber training for all employees and some sort of refresher program in place. You may also have clauses that state that your IT staff must also have incident response training.  You enlist your HR and Learning and Development departments and craft a program that includes resources both off the shelf and self-developed. All the employees from the CEO on down attest they have taken the training.  Then the alarms go off.

You are Training, but are You Educating?

“Tell me, and I will do. Explain to me, and I will understand.”  Too often, we see examples of firms that go through the motions of Cybersecurity education only to have an incident caused by a single mis-click. The employee knew what they should not do, but did they have the understanding to recognize the situation beyond the example?  By educating your organization beyond mere training, cyber incidents can be reduced dramatically.  Don’t just tell your employees, “Don’t do that.” Tell them why not – especially your junior IT staff.  Show your end users how to really spot phishing.  How many of them can spot the difference between an “a” and a “α” in an email address?  More importantly – do they even know how to look?

Your Phalanx Isn’t

We do the training, we do the newsletters, we do the quarterly All Hands slides and imagine that our keyboards are staffed by a phalanx of motivated, educated Cyber warriors ever on the lookout for nefarious evildoers trying to get into our system.  Bad news – they’re not.  They are accountants, bookkeepers, hiring professionals, clerks and executives doing what they are experts in, under tight deadlines.  In the great majority of cases, they will act morally. They will spot the badly formatted phishing email, or they will hover over the shortened link to see where it really goes. However, they are human and will make mistakes. The good news is that most of these mistakes will be minor – such as an email sent to the wrong person.  These errors are only made easier by “Time Saving Features” in our applications, such as auto-filling email addresses.

Leadership in general, but Cyber Leadership specifically, is about trust and understanding with a sprinkling of empathy.  A good Cyber Leader will not view themselves as a leader of just the IT department.

Smooth is Slow, Slow is Fast.

Regardless of the employee’s role (Finance, HR, leadership, or especially IT) leadership must emphasize accuracy over speed. If employees are constantly faced with short, unrealistic deadlines or don’t have access to the resources they need, they might panic, not check their work and commit unforced errors. Part of being the Cybersecurity leader in your organization is getting the ear of the other leaders and educating them about how cyber errors affect the overall business and how the majority of those errors can be avoided if employees are encouraged to slow down, take a minute and check on what it is they are about to click on even if it’s “just” the send button.

A Seat at the Table

It is still stunning to hear about CIOs and CISOs not having a seat at the executive table. While it may be unrealistic to have both at the table, at least the CIO must be there and be allowed to proxy for the CISO. The CIO must be able to speak directly and freely to the rest of the C suite to bring understanding about the threat landscape, where the corporate gaps are and what the Chiefs, including the CEO, need to do, demonstrate and say in order to help reduce those gaps.  This not only helps in elevating Cyber Awareness, but can also help remove the “Oh, it’s those IT guys again” mentality. IT has always been seen as a utility, it must be seen as a partnership to reduce Cyber Incidents.

What to do?

1. Management Team Buy In. The C-Suite, the VPs, the Directors, every leader must buy into Cybersecurity. Additionally, they should be early adopters. Is it unreasonable to have a rollout plan that looks like this: First to IT, then to the Change Advisory Board, then to the Executives and so on? No, it is not.  Employees do watch and take note of who is taking the lead.
2. Education, not Training. Yes, you will have to do the basic box checking of annual Cyber Training. LinkedIn Learning, the SANS Institute and even the Department of Defense have some good resources that are both for free and for fee.  But beyond that Cyber Leaders must take an almost evangelistic stance on Cyber Education.  Do not hesitate to share the truth about what the bad guys are up to and what the consequences of bad Cyber behavior can be.
3. Reasonable Time Management. There will be deadlines the organization can’t control.  The organization can control how those deadlines are planned for.  It doesn’t matter if it’s a weekly report or corporate taxes, deadlines should be well known, communicated and planned for.  This will give staff the opportunity to plan their activities and not feel overly rushed to hit “send.”
4. Don’t Jump Their Stuff. Messes will get made and messes will get cleaned up.  You will have front line, non-IT, staff who make mistakes. Hopefully, they will trust you and management enough to quickly alert you to the error so it can be identified, contained and eradicated. One way to make certain they do not trust you is to berate them for the error. The IT staff who promoted code from Dev to Prod while skipping Test is a very different matter from Sally in HR, who sent a Corrective Action Form to Jim in accounting rather than Jake in HR.

Leadership in general, but Cyber Leadership specifically, is about trust and understanding with a sprinkling of empathy.  A good Cyber Leader will not view themselves as a leader of just the IT department. They should strive to be a Corporate Leader – setting the tone and the example of Cybersecurity for all to learn from and to follow.