Cybersecurity And Leadership: Part 1, We Mean All Leaders

When we say that "all leaders are responsible for cybersecurity," an immediate reaction might be: no, that's what I hired the CISO to do; or, no, I can't do that because I don't have the (budget or support or time or systems or staff or whatever); or, no, we pay Big Consulting Company to do that.

All of these knee-jerk reactions are wrong in different ways.

In this series we will explore what every leader's responsibility is for cybersecurity at the level of leadership they hold. Our position is that cybersecurity is everyone's business, and when we're talking business, we're talking about leaders and leadership.

Let's start by outlining who is a leader in any typical organization. Your organization/company might call these roles different things but that's window-dressing.

Board member: someone who has responsibility for overseeing the performance of executives, and whose own job involves having broad awareness of corporate goals, strategies, investment opportunities, external environmental and political trends, etc. 

In terms of cybersecurity, the Board holds executives responsible for creating and maintaining growth or meeting mission goals. Cybersecurity lapses impede the growth or mission of the corporation.

Executive: someone with fiduciary responsibility for the performance of the organization. This might be a "Chief" something (CIO, CTO, CEO, etc.). The executive has technical expertise and responsibility that require her/him to adjudicate relative investments within the corporation, assess the performance of the person's area of responsibility, and correct as needed. Executives develop strategy and assign goals to managers.

In terms of cybersecurity, executives are responsible for creating and maintaining growth, which could include revenue growth and accomplishment of mission. Cybersecurity lapses impede the growth or mission of the corporation, while over-investing in cybersecurity
may not improve the corporation's performance.

Middle manager/function manager/project manager/etc.: someone whose performance is managed, and who is rewarded or held accountable, for the performance of a specific function within the organization. This manager has subordinate managers or subject matter experts who report to her/him. Their significant expertise is a plus (though they can be a "senior-doer") and they can set direction with input/approval from executives to make investments in specific areas. Key aspects of middle management are that they must accomplish goals given to them by executives and they must collaborate with other middle managers. This is the level where "organiazitonal politics" becomes an issue. Performance is tracked through reference to key performance indicators (KPIs).

In terms of cybersecurity, managers are accountable for accomplishing KPIs. Cybersecurity lapses impede the growth or mission of the corporation, while over-emphasizing cybersecurity may be good for one are but less relevant for others and thus be impolitic. 

Supervisor: someone whose entire job revolves around getting individual contributors to complete assigned tasks on time and under budget to the specified degree of quality, while also not engaging in counterproductive behavior. The supervisor position is a rung on the corporate ladder for many. Others stall there due to the "Peter Principle" (people promoted to the level of their incompetence). Getting tasks accomplished through others is good prep for executive work, just at a lower level. But it also demands oversight vigilance that should monitor for cybersecurity in addition to task performance.

In terms of cybersecurity, supervisors are accountable for monitoring and documenting cybersecurity violations, lapses in protocol, and counterproductive work behavior (we discuss that in BARC). 

In subsequent posts we'll discuss in greater depth how each level of management has a role in cybersecurity. As always, ask us how we can help you align your leadership approaches with a cybersecurity focus.