Mapping Leadership Talent To Cybersecurity: Part 6, Recover

And eventually -- it stops. They move on. You are victorious, but frazzled. Now is the time to take stock, rebuild relationships, and prepare for the next engagement.

Time for the final NIST CSF pillar, Recover. Let's let Brendan discuss it:

Recover is the step you take to undo the damage or restore the service. Recover is a bit more deliberate and thoughtful than Respond. You have time pressure, almost always, but there is rather less of it. The cybersecurity crisis is over, but if you need to keep your systems down for the recovery, then the operations crisis has just begun: how long can the downtime continue, in the name of preventing future problems and gathering evidence? The answer depends on your situation. Your ability to arrive at that answer often depends on how well thought-out your IRP is.

Recover should always end with a review that considers how to be better in the future. This is a crucial step to making you safer than you were before. It is very common to just want to put all this behind you and get back to normal, but the review is worth doing.

This lower level of urgency does not make Recover any less important as a part of your cybersecurity program; rather it is a nice illustration of the difference between the CISO's narrow authority but wide influence: the final review requires input from many people who do not work for the CISO, but whose input is required for the CISO to do their job. Getting attention from other departments after a crisis requires a culture of commitment, not just compliance.

"A culture of commitment." Well said. Recover is not a cessation of attack, it is the initiation of a healing process. It's a change management process; more about that soon. The organization needs to rally, needs to take inventory, and needs to rebuild trust; who is going to lead that?

We've profiled strong cybersecurity leaders as part of our assessment development process working with Conchie Associates. Here is one surprising finding: even among highly talented cybersecurity leaders, there are areas where they excel and areas where they struggle.

Here is our take on Recover as a talent area for a cybersecurity leader:

RECOVER — Restoration, Lessons Learned & Continuous Improvement

The RECOVER function does not exist in isolation. CSF 2.0 explicitly frames RECOVER's lessons-learned dimension as feeding back into GOVERNANCE and IDENTIFY. Thus, it has thematic elements of these phases.

RECOVER is found in a broad set of themes:

• Flexibility (adaptive restoration)
• Multi-relator (cross-functional coordination)
• Responsibility (accountability for restoration and lessons-learned implementation)
• Catalyst (sustained improvement momentum)
• Growth Orientation (commitment to converting incidents into systemic learning)

This array of themes has several currents running through it. First, as with any process after activation, there is returning to a baseline. That baseline ideally should be higher awareness or operational cadence, but baseline it is. 

Secomd, the fact that a successful attack occurred means that newer measures or approaches are needed. You can't re-fight the last war. The other team is upping its game.

Third, you as a leader are accountable. Even if your process worked thanks to your vision and foresight, there will be questions about why the attack happened. This is where your diplomatic skills shine (if you have them) as you lead the executive team and the cybersecurity function through change. You can't go back, other actions are happening, maybe there's bad press or there is an SEC 10-K filing -- change is all around. How are you creating assurances you can support with actions?

Among our sample of highly talented cybersecurity leaders, people with decades of multi-national experience and success, this function was among the hardest CSF pillar from a talent perspective but our assessments revealed a variety of ways to address this function.

Here is how our report describes our most talented assessee for this area -- note the area for mitigation:

"[The assessee] combines exceptional Flexibility, high Multi-relator, high Responsibility, and high Growth Orientation -- four of the five RECOVER-relevant themes. Catalyst remains the only meaningful constraint."

Here is another talented assessee:

"[The assessee] brings the highest Responsibility, which is genuinely differentiating for RECOVER -- lessons-learned commitments depend on a leader who tracks them through to completion rather than allowing them to slip after incident closure. Exceptional Logic supports structured post-incident analysis. Exceptional Belief supports principled accountability conversations about root cause. However, [the assessee's] Growth Orientation and Catalyst are the limiting factors: these are precisely the themes that drive the continuous-improvement loop. He will rigorously track lessons-learned commitments but may not naturally convert closed incidents into forward-looking capability development."

What about lowest-scoring assessee?

"[The assessee] is limited on RECOVER with a critical weakness: Growth Orientation and Catalyst at or below expectations. He will close incidents but not naturally sustain the lessons-learned loop."

Let's recap. Among these three highly successful assesses, all with significant talent in some areas of the CSF, each approaches the RECOVER function from different perspectives, and each has a talent-based limitation that needs to be addressed in their development and teams.

What do we do about this?

We have a strong belief that part of an organization's success requires excellence in human capital identification, accession, and developing. You cannot be a world-class cybersecurity program without world-class practices. Recovering is critical. It shows wisdom, humility, change management capacity, and -- dare we say -- leadership.

There will be mistakes at lower levels, and excellent leaders will make some of these mistakes. What separates them and prepares them to engage with business partners is their capacity for resilience, reflection, and humility coupled with a passion for cybersecurity mastery and the business functions they support.

It's called talent and it's not on the resume.

Ask us how you can measure whether your cybersecurity leaders have the talent they need -- and what to do if they need more of it.

(image credit: John H. Bacon, Public domain, via Wikimedia Commons)