Leadership in cyber security

Cyber security has been among the top risks globally for businesses and organisations of all size and scale for a decade now and in my view, it will likely continue to be so in coming years.

The industry has evolved and grown which has created many new career opportunities and has created bright professionals who are defending people and businesses and societies against the malicious actors. Although there is lack of skilled cyber security professionals, we have had some success in creating cyber security engineers and supporting staff. As an industry cyber has not been phenomenally successful in creating cyber security leaders. A good cyber security engineer or architect does not necessarily make a cyber security leader. I am going to share my life experiences of being a progressive cyber security leader. what I am going to share with you all today is not AI generated. But my real-life experience and learnings from people in the field.

As you may be aware leadership is perhaps the most researched subject in academia and otherwise and there is already plethora of information, training, programmes and all sorts of material and Gyan available all over the internet on this subject. Each of above sources have their own value add, some more than other sources but as the famous Chinese proverb says, “A single conversation with a wise man is better than ten years of study.” Not to brag but you get the point - experience is best way to learn and, in this article, I am going to share some of my experiences with a caveat that there is no magic wand that will turn someone into a great cyber security leader, I would like to share with you what has helped me or not in my journey so far.

The internet is full of the tips on topics like:

?1. Interpersonal skills

2. Oral communication skills

3. Continuous learning

5. leading people

6. Accountability

etc. ?and these all are important.

Certainly not undermining these. In addition, for a cyber security leader or executive it is crucial to understand that:

it is not a technical role. But is a managerial role. You need to be able to talk the language of risk, employee engagement, employee productivity and business enablement instead of IoCs, IoAs, firewalls, alerts, false positives, and all other technical slangs.

For example, if you are proposing a program or project that you believe is needed to secure the business. You must be able to corroborate in your presentation how this program is going to positively contribute to

-????????? reduce operational risk.

-????????? increase employee engagement.

-????????? increase productivity.

-????????? potentially increase product and reduce cost.

if you do not have this story stop! Build this story before you speak with the business leaders.

I had to get approval for spending significant amount on a new EDR and SasE solutions for our company. I made sure that I articulate the risk and employee productivity side of the story, there is no way I would have got approval if I would have said we need another antivirus or a firewall solution as this is the best and Gartner rates in the top quadrant.

Commitment to the organisation’s mission cyber security leaders needs to imbibe in them the company missions and goals. As a cyber security leader, it is your responsibility to make cyber security an enabler for your business and sell that story to the executives and not merely appear as the big expense centre. You need to understand how the company makes profit and find your ways to support the business directly or indirectly in doing so.

For example, Currently I am the head of cyber security at skillcast.com it is a SaaS business that helps companies in their compliance initiatives. We create and sell e-learning courses, compliance registers and much more. As you may be aware during the sales process all customers will send this lengthy questionnaire also called as DDQs which is part of their vendor management program. To enable business to establish trust with potential customers I envisioned and created the Skillcast trust centre? https://trust.skillcast.com ?to help gain and maintain potential clients and existing clients’ trust. This initiative helped in onboarding and renewals process for Skillcast and our clients.

In addition, implemented a DDQ management solution for faster management of DDQ and RFPs enabling faster turnaround for the sales team. Along with consistent and high-quality answers reducing legal risk.

Strategic thinking and vision.

A cyber security leader must be able to create a vision and strategy for cyber security in alignment with the organisations vision and goal. Own the strategy, lead the change, and take the organisation to the next level.

In realising the strategic goals and objective one needs to be able organise people and resources to meet the end goals.

Internet is full of information and Gyan on people management its crucial aspect of being a leader. If you have not yet read, I would recommend reading one of my favourite books “how to influence people and win friends” by Dale Carnegie

?and finally, a cyber security leader must be Decisive.

If one could take a decision only if you have 100% of the information available, the person can be replaced by an algorithm. If one could a a decision when 50% of the information is available, one could toss a coin but its little risky. The challenge is taking decision in ambiguity but not taking decision is not an option to be successful. You may not know all the answers but cannot be uncertain.

Certainly not the definitive list I may add a few more as I learn and grow !