Mapping Leadership Talent To Cybersecurity: Pt. 1, Governance

Of all the BORING parts of cybersecurity, or maybe of any process such as ruling in Medieval England, start the counter with governance. It's not why you went into comp sci or systems administration work or anything like that. Seems only like people who can't code go there.

Surprise! This is one of the most important touchpoints a technical leader has with the organization. Remember, you may know how to code but the general managers in the organization do not -- and they know how to do governance. 

In fact NIST didn't have governance originally on its CSF pillars list. But it's there now.

Let's let Brendan discuss it:

This function is what you would expect and a great step toward what is needed. Adding this function validates Pythia Cyber's top-down approach in which we start at the top of the organization to set the priorities, the budget and the goals. This function makes the link to Risk Management clearer as well.

We hope that this official recognition of this concept will help move the needle on the tendency of CEOs and other senior management to lob C/S over the wall into the IT department. We don't expect the C-Suite to start working the front lines in the fight against ransomware or in the never-ending quest to preserve data, but we do expect the C-Suite to do their part:

Set the priorities about which cyber assets to protect

Review evidence that the protections are effective

Keep an eye on the cost-effectiveness of the protections

Revisit the priorities regularly and as needed

Governance is an art. It is part strategy, part user's manual, part peace treaty, part procurement blueprint, full-time politician. It's what we agree to do, what to let other people do, and what we hold everyone accountable for. It involves getting your hands dirty with the capabilities and goals of the organization. It means coordinating with peers and government agencies. It must be a 'living' document to accommodate or anticipate technological growth. You will create a lot of VPs of Governance Section 2 (etc.).

We've profiled strong cybersecurity leaders as part of our assessment development process working with Conchie Associates. Here is one surprising finding: even among highly talented cybersecurity leaders, there are areas where they excel and areas where they struggle.

Here is our take on Governance for a cybersecurity leader:

Strategy, Policy, Oversight & Risk Management

The GOVERNANCE function is the cross-cutting outcome added in CSF 2.0 and is arguably the most demanding for a senior cybersecurity leader. It requires establishing and communicating cybersecurity risk strategy, expectations, and policy across the enterprise; setting organizational context; defining roles, responsibilities, and accountability structures; and overseeing the cybersecurity supply chain. The breadth of themes involved means GOVERNANCE tends to favor candidates with comprehensive, well-distributed profiles.

GOVERNANCE performance depends on a broad cluster of themes: 

• Vision and Strategy (long-range direction-setting)
• Belief (principled values)
• Logic (evidence-based decision-making)
• Credibility (executive authority)
• Multi-relator and Sophistication (cross-functional and political navigation)
• Responsibility (accountability discipline).

You cannot have credibility without these themes when it comes to establishing and enforcing governance. You cannot claim them up front and then continue to fake it until you make it while moving fast. Governance is not for newbies.

Even among our sample of highly talented cybersecurity leaders, people with decades of multi-national experience and success, this is one of the hardest CSF areas relative to its talent composition.

Here is how our report describes our most talented assessee for this area:

"The combination of strategic vision, principled values, analytical rigor, executive credibility, political sophistication, and accountability discipline is the signature of a leader genuinely positioned to set and sustain the GOVERNANCE function across a complex enterprise."

Here is the second-most talented assessee:

"Governance frameworks depend on the leader holding the organization — and themselves — to account on policy commitments, audit findings, and remediation timelines. A gap in Responsibility warrants careful interview exploration before deployment."

What about lowest-scoring assessee?

"[He] brings high Concept, high Logic, high Sophistication, and high Credibility, but his moderate Vision and Strategy means he is better suited to executing a governance framework than originating one, and his medium level of Growth Orientation limits the continuous improvement orientation."

Let's recap. Among these three highly successful assesses, each of whom has significant talent in some areas of the CSF, even slight gaps can be a problem with Governance.

What do we do about this?

We have a strong belief that part of an organization's success requires excellence in human capital identification, accession, and developing. You cannot be a world-class cybersecurity program without world-class practices. Governance is essential maybe once you reach a certain scale -- but then you need it to be in place and to be right (it's like an insurance policy that way). 

In short you work toward leading a governance function. There will be mistakes at lower levels, and excellent leaders will make some of these mistakes. What separates them and prepares them to engage with governance stakeholders is their capacity for resilience, reflection, and humility coupled with a passion for cybersecurity mastery.

It's called talent and it's not on the resume.

Ask us how you can measure whether your cybersecurity leaders have the talent they need -- and what to do if they need more of it.

(image credit: Uploaded by J.delanoy., Public domain, via Wikimedia Commons)