THANK YOU FOR SUBSCRIBING
COVID-19’s impact on ways of working has been well-documented. Organisations have been forced to adapt to a new digital norm, requiring cyber leaders and their teams to make decisions at a relentless pace to ensure technological solutions are deployed and accessed securely. The increased COVID-related workload – adapting pre-existing policies, protecting critical business assets, and frequent regulatory reporting – comes in addition to thwarting the attacks of threat actors whose attacks might be even more effective on a distracted and burnt-out workforce.
Cyber leaders cited stress and pressure as concerns even before the pandemic. A survey by Nominet published in early March 2020 found that 88% of CISOs considered themselves to be under moderate or high stress, with 48% saying that those stress levels had impacted their mental health. Moreover, only 20% of employees felt that their organisations met their needs in the first few months of the pandemic.
With high-profile cyber incidents increasingly in the headlines and senior leadership eager for material risk reduction in line with significant investment, the challenge for CISOs is to not pass this stress on to their teams.
Cyber security leaders must therefore practice “conscious cyber leadership” and take on a more strategic leadership role within their organisation during this global crisis. Being conscious in this context means understanding the needs of employees in difficult times whilst directing teams to focus on the foundational requirements of cyber risk reduction. Conscious cyber leadership requires a strategic outlook that empowers colleagues to make risk-based decisions, communicating clear goals and outcomes, and positioning cyber security as a business enabler. So how can cyber leaders adapt their methods to create a sustainable, motivating environment in which to continue the pursuit of risk reduction? Leaders can use the following three key principles to inform their approach:
Adopting a human approach whilst building cyber resilience
People are at every step of the cyber security journey. This must stay at the front of our minds. While human resilience and innovation drive the transformation, we must recognise the need to bring teams through this change. As no organisation can expect to drive risk down to zero, risk reduction needs to be pursued sustainably and at an acceptable pace for the organisation.
The key is to build a resilient and fulfilled workforce to support cyber as a crucial business enabler. Building teams with a high Adversity Quotient (AQ)–a strong capacity to adapt to changing conditions and recover rapidly from disruptions–can support employee retention and embed a cyber resilience focus.
Being ‘creatively’ proactive while keeping our eyes on ‘Crown Jewels’
Motivating employees to achieve risk reduction requires a focus on business and client outcomes. Employees need to buy into these objectives, focusing not only on what will be achieved but why and how organisations will achieve it.
Cyber security leaders need to think and act strategically to prioritise resources and investments on the ‘Crown Jewels’ – the highest risk areas where most remediation can be achieved - and build in security from the outset wherever we can. Rather than putting pressure on teams to “fix everything”, identify and protect the information assets of greatest value that would cause major business impact if compromised.
Speaking the language of stakeholders to support cyber decision-making
Risk must be communicated to senior stakeholders in a way they can understand and appreciate. If a company is subject to a Distributed Denial of Service (DDoS) attack, for example, communication should focus on tangible impact: how long will websites be down and what is the potential financial impact of that downtime? Value-at-risk (VaR) models such as Factor Analysis of Information Risk (FAIR) quantify cyber risk and articulate it in financial terms, and can help senior business stakeholders move away from unhelpful, imprecise, and scare-mongering language which can lead to decisions based on fear or uncertainty. A Cyber VaR can be an accessible bridge between cyber security and business outcomes, supporting positive cyber security decisions. Focusing on business impact and adapting communication to different audiences is critical for cyber leaders.
Just as cyber criminals continually adapt their methods, it is important that cyber leaders reflect, innovate, and grow too. Protecting clients whilst also understanding the needs of colleagues makes the risk reduction challenge a sustainable one. In the new digital norm, “Conscious” leadership is therefore not just an aspiration but a responsibility for cyber leaders.