[BreachExchange] The economics and impact of bad CISO leadership

[Audrey McNeil]

http://www.csoonline.com/article/3203968/leadership-
management/the-economics-and-impact-of-bad-ciso-leadership.html

The global threat landscape for technology is changing and the demand for
cybersecurity skills are soaring, but having great skills is not enough to
solve future cybersecurity problems when it comes to leadership. If Chief
Information Security Officers (CISO’s) are to counter daily cyber threats,
having a team with the most amazing cybersecurity skills and resources does
not matter without strong leadership. A poor leader cannot synthesize
security operations, tool sets, and resources when a team is not
functioning at its best to counter cyber threats to an organization.

Strong leadership is crucial to counteract daily attacks from hackers, and
if your leadership skills are weak, other CISO’s are going to easily
recruit your staff away to improve their cybersecurity program.  The best
leaders in cybersecurity don’t have employee retention issues, because it
is a competitive market and employees don’t have the career patience for
lousy leadership.   Often employees are willing to take a pay and title cut
to escape poor leadership that can be emotionally disruptive outside of the
workplace. Unfortunately, there are many cases when an employee has to drag
themselves out of the car in the company parking lot to earn a paycheck,
because they dread the leadership they have to face in the office on a
daily basis. Poor leaders are always going to disappoint and let down
employees every day, often times because they are broken within themselves,
and didn’t make a long-term effort for self-improvement. Anyone can be a
great leader, but you must make a significant time and resource commitment
to become a great leader. Every strong leader knows to become a great
leader, the work and training does not stop, it is a continuous “work in
progress” for the remainder of your active career.

How much does bad leadership cost companies? There are many studies on the
Internet ranging from MIT Sloan Business School to the Center for American
Progress. If we look at a Security Engineer, Security Analyst or Security
Architect positions, the salary band can be $80K to $110K based on
experience and responsibilities. The average cost of departure was 21% of
base salary. This equates to a $16,800 to $23,100 company loss when a
cybersecurity employee leaves a company on top of a cybersecurity shortage.
The numbers get worse for Directors and Vice Presidents. The numbers go
over $50,000 very quickly because an executive contract may be in place to
a plethora of other compensation mechanisms that may be in play. It pays to
be an excellent leader, because you are saving your company money, hence
why strong leadership is paramount.

Ask yourself this question, have you ever enjoyed working for a bad boss or
a jerk?  If you recall your best career memories, you will always remember
when you had an amazing job—probably because you worked for a great leader
that groomed your career path, developed you, invested in you, and treated
you with respect. If you think about your worst career memories, it’s the
bad boss and the horrible things that were said or things you endured, and
leaving your job was the best career choice you have made. Not a legacy or
reputation for any CISO to relish.

Here are some tough questions to ask yourself to determine if you fit these
telltale poor leadership signs:

Complaining about the cybersecurity shortage and concerns existing staff
are going to get “poached” from other companies offering higher salaries
Bragging about how many people that work “under” you from a hierarchical
perspective
Super busy, not enough time to actually met every person working within the
cybersecurity team, because the job demands are too high and you don’t have
time for small talk
Eating lunch alone
The demand for your cybersecurity leadership is higher for external
executive events, but not within your own organization
Losing team members for higher salaries elsewhere or moving out of your
department
Not being a member of the executive steering committee
You want to join a CISO Advisory Board, but nobody is approaching you, but
your peers are getting the CISO Advisory opportunities
Prospective employees are not accepting job offers after meeting with your
team or even you
People don’t approach you, because you are not approachable leader
You are afraid to send employees to expensive conferences, because they
might leave the company shortly after attending

A confident and successful CISO leader has nominal labor problems, because
cybersecurity employees want to work for great leaders that can provide
them with a rewarding career.  A CISO might lose a person every once in a
great while for a variety of reasons, but it’s not because of poor
leadership. Here are some tips to make sure you are the path for good
leadership:

Giving your employees, contractors, and vendors a sense of purpose and
taking the time to explain why things are being done a certain way—it shows
you value them and they are engaged
Collaborate with your peers, employees, contractors, vendors, and C-Suite
to ask for ideas—even when you might already know the answers.  A good
leader always knows when to ask for help and “idea” validation through
collaboration with others to build trust & credibility.  Executives love to
give opinions, and when feel they are heard, they feel valued, and you
become a part of the core leadership team because they view you as a
trusted peer.
Invest the time to learn your employees.  It does not matter if you have 6
or 200 employees across the globe, make the effort—even if it is for 5
minutes, make the time and effort! No excuses on this one!
Have lunch with one of your team members or a peer in a different
department.  You would be amazed at what you will learn, and how you will
have more ears and eyes to support your agenda and also find out who is
working against your department—Situational awareness is paramount to
knowing what the hell is going on within and outside your department.
Groom your employees by having them in some form of training or attending a
conference.
Rewarding employees with a simple “thank you” to a gift card by
acknowledging them and the good work they are providing
Trusting your employees to make decisions—even if it’s the wrong decision,
it’s a learning & mentoring opportunity that builds loyalty to your
leadership. Remember, you are a mentor and someone mentored you—pay it
forward.
Dressing for the CISO role to influence. This is making sure your
appearance is consistent with your personal and professional brand of
leadership
Knowing how to listen to your team and talking less
Set the tone at the top, and be the good example for employees to emulate
you—have you noticed when employees start using the same words that you use…
Having a succession plan by developing your CISO replacement.       There
is no better legacy than to hand pick your successor and leading your
legacy years after you left the company.

If you think of your leadership abilities and skills on a scale 1 to 10,
how would you rate yourself and how would your team members rate you? What
is your target leadership level you are currently functioning at and what
are you doing to raise that number? Being a highly effective leader is all
about bringing out the best of your team members to achieve company goals.
It takes leadership failures and successes to develop leadership
experience. Early in our careers, we start as managers that need to evolve
into leaders and it takes years of practice, reading, coaching, and making
good & bad decisions. With time, being a leader becomes natural and it
looks easy to others, but deep down inside you, you know how hard you
worked to be an excellent leader, and you have the battle scars to prove it.

CISO leadership is more important than ever, because the odds are stacked
against companies for a data breach.  The 2017 Cost of Data Breach Study
just released by IBM/Ponemon Institute state the following:

“Two factors were used to determine the probability of a future data
breach: the current data breach size and the organizations’ location. Based
on this year’s research, we estimate an average probability of 27.7 percent
that organizations in this study will have a material data breach in the
next 24 months.”

This is a harsh reality check, and poor leadership may actually shorten
this time period, hence why strong leadership can lead to better cyber
hygiene and a rock-solid cybersecurity program that could counter these
odds.  Leadership matters, and your organization is counting on you to have
a cybersecurity program that continues to improve, mature, increase with
efficiency, automating more tasks, higher accountability with your
third-party vendors, and staying attune with were critical data lives
within the organization.

In conclusion, live a life of substance, leave a legacy of your leadership
for every life you have touched, make that lasting impression of what your
leadership legacy will be. Remember, employees don’t leave companies, they
leave bad leaders.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170627/b676887e/attachment.html>