Cybersecurity And Leadership: Part 5, Supervisors

There are two statements that seem contradictory but are both true:

1. The best cybersecurity defense in terms of employee-initiated actions (v. external agent-initiated actions) is the first-line supervisor. 
2. The most likely cause of employee-initiated cybersecurity actions (v. external agent-initiated actions) is the first-line supervisor. 

Significant empirical research on the impact of managers and leaders on organizations shows that supervisors at any level who are not able to focus their direct reports on task performance, who are not able to create an inclusive environment, who don't provide feedback, or who are not putting their direct reports in positions where they get to do what they do best every day, reap the rewards: poor performance, turnover, employee theft, and loss of customers.

All of these negative outcomes set up organizations for cyber-related incidents.

Why? Because, as Dr. Chloe Wilson has demonstrated, people who feel that their employer "owes" them something feel a sense of injustice, and these individuals are determined to right the balances of justice. 

Sure, some people who enter organizations are set on engaging in misuses of information systems for the purpose of espionage or outright theft. However that's highly unusual. And even then, supervisors who are not adequately managing employee performance are creating opportunities for theft and espionage, not to mention blatant misuse of information systems.

Also, inadequate supervisors do not create conditions to support the organization's cybersecurity incident response plan (IRP). Why not? Because they may not understand it or see it as being as important as schmoozing or developing quarterly reports or what have you.  

Behavioral research (cited above) consistently shows that better supervisors address poor performance, identify and support training and development, head off counterproductive work behavior, squelch  waste, fraud, and abuse, and are resources for their direct reports. 

There are many ways to assess quality of supervision; is your company positioning these methods to identify and develop a cadre of leaders who are able to manage the risks of employee use of information systems? Ask us how.