Mapping Leadership Talent To Cybersecurity: Part 2, Identify

 

This is Part 2 of our series on mapping the Pythia Cyber Cybersecurity Leadership Talent Stack to the NIST CSF 2.0 pillars*. Part 1, on mapping cybersecurity leadership talent to Governance, is here. 

Maybe the most obvious part of cybersecurity is identifying what needs protecting. This is where the NIST CSF starts also. 

Let's let Brendan discuss it:

The Identify pillar identifies cyber assets (just “asset” henceforth) which are on the "Must Protect Now" list. We recommend that, as you go along, you keep a "Must Protect ASAP" list and a "Should Protect Someday" list. Why isn’t there a single Asset List? Because no one has all the time and money and experts that they could possibly need to protect anything and everything of value to their organization.

What is an asset in this context? An asset has to meet all of these requirements:

An asset is “critical” by which we mean its absence would severely limit operations

(It can be tricky to distinguish “assets” from “controls”: see the “Protect” post.)

An asset is “cyber” by which we mean that it is a computer system or computer data

An asset is “feasible” by which we mean you have the resources to protect it

Identification may seem obvious but expanding and shifting vendor supply chains and technology instances create a larger and more interconnected threat surface. Leading a function where the threat surface grows requires staying attuned to shifts at multiple points within the organization. The leader who is effective at identifying possible threats and threat surfaces can develop models of these interacting processes that gain executive support and funding.

We've profiled strong cybersecurity leaders as part of our assessment development process working with Conchie Associates. Here is one surprising finding: even among highly talented cybersecurity leaders, there are areas where they excel and areas where they struggle.

Here is our take on Identify as a talent area for a cybersecurity leader:

IDENTIFY - Asset, Risk & Vulnerability Understanding

The IDENTIFY function requires the leader to develop and sustain an organizational understanding of cybersecurity risks to systems, people, assets, data, and capabilities. The strongest IDENTIFY leaders combine analytical rigor with the ability to see how risks interconnect across the enterprise.

IDENTIFY as a process depends on a small cluster of themes: 

• Concept (holistic, enterprise-wide thinking)
• Logic (evidence-based decision-making)
• Systems Thinking (interconnection tracing)
• Vision (forward-looking threat anticipation)
• Growth Orientation (anticipating future capability needs)

In our view, identifying cybersecurity threats requires a puzzle-solving mindset. It's not paranoia -- basically all cybersecurity has an element of paranoia to it -- as much as it's a combination of business thinking and technical acumen.

Among our sample of highly talented cybersecurity leaders, people with decades of multi-national experience and success, this function was not the hardest CSF pillar from a talent perspective but our assessments revealed a variety of ways to address this function.

Here is how our report describes our most talented assessee for this area -- note the area for mitigation:

"[The assessee] combines high Concept, high Logic, high Growth Orientation, and high Vision, meaning she can see how risks interconnect across the enterprise, analyze them rigorously, anticipate emerging threats, and sustain the forward-looking continuous-improvement mindset CSF 2.0 places at the center of risk management. [The assessee's] Systems Thinking is the only talent area with a lower score for the IDENTIFY CSF theme, sitting in the moderate range -- which means the assessee engages with system-level interdependencies situationally rather than reflexively, but this is not a structural concern given the surrounding strengths."

Here is another talented assessee:

"[The assessee's] combination of exceptional Concept and exceptional Logic is the most powerful analytical-holistic pairing in the assess cohort and is decisive for understanding how enterprise risks interconnect -- but the assessee's lower talent for Systems Thinking means his holistic intuition operates without the structured reasoning to trace interdependency mechanics precisely, while lower scores for Growth Orientation limits forward-looking anticipation."

What about lowest-scoring assessee?

"Moderate Concept and Systems Thinking limit the enterprise-wide and interconnection-tracing dimensions of risk identification. [The assessee] will produce strong analytical depth within defined risk domains but is less likely to spontaneously notice cross-domain interdependencies. Growth Orientation gap limits forward-looking anticipation of emerging risks."

Let's recap. Among these three highly successful assesses, all with significant talent in some areas of the CSF, each approaches the Identify function from different perspectives, and each has a talent-based limitation that needs to be addressed in their development and teams.

What do we do about this?

We have a strong belief that part of an organization's success requires excellence in human capital identification, accession, and developing. You cannot be a world-class cybersecurity program without world-class practices. Identification is a bridge function between the organization's business and the cybersecurity process; do it right, and the likelihood of problems diminishes.

There will be mistakes at lower levels, and excellent leaders will make some of these mistakes. What separates them and prepares them to engage with business partners is their capacity for resilience, reflection, and humility coupled with a passion for cybersecurity mastery and the business functions they support.

It's called talent and it's not on the resume.

Ask us how you can measure whether your cybersecurity leaders have the talent they need -- and what to do if they need more of it.

*We have no partner agreement with NIST; this linkage series is based on concept-mapping.

(image credit: Mvolz, CC0, via Wikimedia Commons)