Mapping Leadership Talent to Cybersecurity: Part 3, Protect

Cybersecurity fundamentally is about managing risks to information system assets through the protection of those assets. Sure, there are many parts and processes related to protection but it's the core ethos of cybersecurity.

Let's let Brendan discuss it:

As we covered in the first post in this series, the Identify pillar gives us a list of assets (what we are protecting) and for each asset, a risk (what we are trying to avoid).

The Protect pillar is mitigating each of the risks for each of the assets. The procedure or method or technology that we use to do the mitigating is called “a control” and we say that the Protect pillar “assigns a control to each risk.” A control should produce evidence that it is working, otherwise monitoring that control is difficult and overseeing the monitoring is impossible.

It can be tricky to distinguish assets from controls. In cybersecurity, an asset is a resource that an organization needs to protect, like hardware, software, data, or networks. A security control, on the other hand, is a mechanism implemented to protect those assets from cyber threats. Think of assets as the things that need protection, and controls as the measures used to protect them.

There are many approaches to protection, each with a goal of creating as much up-time access for authorized users of the assets as possible. Thus, there are different ways to think about this pillar. Because cyber-leaders are generally not working with cybersecurity processes on a daily basis they may have greater variability in their skills and talent than they might for other CSF-related pillars.

We've profiled strong cybersecurity leaders as part of our assessment development process working with Conchie Associates. Here is one surprising finding: even among highly talented cybersecurity leaders, there are areas where they excel and areas where they struggle.

Here is our take on Protection for a cybersecurity leader:

PROTECT -- Safeguards, Controls & Process Discipline

The PROTECT function requires sustained operational discipline. PROTECT requires establishing and communicating cybersecurity risk strategy, expectations, and policy across the enterprise; setting organizational context; defining roles, responsibilities, and accountability structures; and overseeing the cybersecurity supply chain.

PROTECT performance depends on a small cluster of themes: 

• Structure (systematic organization and process discipline)
• Systems Thinking (holistic safeguard architecture design)
• Catalyst (sustained organizational momentum to implement and adopt)

Of all the NIST CSF pillars, PROTECT may be the function easiest to see on a resume because it has many cyber-defender/engineer features. As our talent structure shows, a candidate with strength in this area will have a track record of architecting and implementing cybersecurity systems, though note that implementing someone else's system is not the same as architecting one. Cybersecurity leadership candidates should also be able to discuss challenges faced in initiating and maintaining cyber-defense processes at increasing levels of sophistication and span.

While it will be easier to see this function on the resume and the candidate will discuss it (probably in depth), remember that it's generally not what they do on a routine basis, or they may have contracted it out, or they have developed expertise in other cybersecurity areas. In fact they should have developed other strengths and expertise. There are two implications of this. First, average talent is going to be found routinely and you should think about mitigating lower levels of talent. Second, if this is the candidate's area of strength, you might probe for whether they're comfortable handing it off to staff.

Even among our sample of highly talented cybersecurity leaders, people with decades of multi-national experience and success, this may be the hardest CSF areas relative to its talent composition.

Our most otherwise-talented assessees had their lowest levels of talent in this area. The Catalyst theme is the dominant constraint across all assesses. Sustained PROTECT implementation depends on a leader who can generate organizational urgency for control rollouts, awareness programs, and policy adoption -- exactly the demand a low Catalyst theme will not naturally meet. Structure is the secondary universal constraint. The absence of strong Structure across all assessees means that whoever is appointed will need to rely on operationally rigorous deputies to sustain PROTECT process discipline.

Some assessees scored particularly low in this area. As a whole, this would require the most extensive organizational scaffolding for PROTECT-heavy work -- a rigorous Head of Security Operations or Deputy CISO carrying day-to-day process discipline is not optional.

What do we do about this?

We have a strong belief that part of an organization's success requires excellence in human capital identification, accession, and developing. You cannot be a world-class cybersecurity program without world-class practices. A NIST CSF-following organization is strong because it maintains strength in all pillars. You may need to structure the cybersecurity leadership role so that candidates with significant strengths in other areas are not penalized by less talent in PROTECT. This structuring could include hiring a deputy, delegation of PROTECT functions to managers or other staff, or outsourcing. We note that increasing outsourcing to AI protection vendors sounds like an easy solution but Brendan points out the issues associated with that.

It's called talent and it's not on the resume.

Ask us how you can measure whether your cybersecurity leaders have the talent they need -- and what to do if they need more of it.

(image credit: Knight, Charles, Public domain, via Wikimedia Commons)