Council Post: Developing A Cyber-Focused Company Culture Through Leadership (2024)

Dewayne Hart is SEMAIS President and CEO.

Organizations invest significant time in maturing cybersecurity through working models, innovation and investments. Each provides avenues to reduce threats and respond to critical incidents. But when failures, deficiencies and security gaps are created, leadership must provide answers.

The cybersecurity domain often challenges leadership to improve risk management. This is notable, but cybersecurity leadership extends into different categories. Some well-known areas are consistent with leadership style and team management.

In this article, I'll explain the role of cybersecurity leadership in driving internal teams to become "cyber-focused."

Practice The RAA Theory

Cyber incidents can expose and provide sound evidence of an organization's weaknesses. Through root cause analysis, it's often discovered that best practices have been overlooked or are unknown. Later, critical areas concerning due diligence and due care are examined. This intersection is where responsibility, accountability and authority (RAA) operate.

MORE FOR YOU

Today’s NYT Mini Crossword Clues And Answers For Saturday, August 31
Desperate To Save Pokrovsk, The Ukrainian National Guard Has Deployed One Of Its Few Offensive Brigades
Novak Djokovic Follows Carlos Alcaraz Out Of The U.S. Open As Stunning Upsets Continue

RAA is a principle that defines the basics of leadership. It serves as a foundation for security management and positions enterprises to defend vital assets, resources and information.

The CIA triad, which stands for confidentiality, integrity and availability, is a fundamental security practice. Every security steward has used it to protect enterprises, prevent attacks and control information access. The triad emphasizes that when any component fails, security suffers. This concept aligns with RAA because leadership must drive the CIA triad.

Cybersecurity leadership is measured through its employee buy-in success and whether it fulfills the organization's security mission. By invoking RAA principles, cyber leaders can create a self-motivated company culture that prioritizes cybersecurity.

To integrate RAA and CIA, leaders must create a company culture in which cybersecurity is everyone's responsibility. This stems from how cybersecurity responsibilities are interconnected versus operating through silos. Most teams have individual role assignments such as penetration testers, risk management, security architects or application development. Each contributes to cyber defense in that they're responsible for mitigating risk. For example, when penetration testers identify issues, risk management professionals must remediate the risks. Failure to do so could lead to significant concerns regarding application integrity and system availability.

Next, it's imperative to assume authority. The leader must have control, make decisions and provide direction. Each decision determines whether security activities are appropriately handled and whether cyber defenders operate collectively. Alternatively, security becomes unstable when authority fails, which could disrupt operations. The outcome reduces the CIA's triad strength and the environment's cyber defense capability.

Accountability emphasizes that leaders practice cybersecurity ownership. While writing my book, The Cybersecurity Mindset, leadership accountability became a significant discussion topic. When ownership is active, leaders accept the risk outcome and engineer changes. The changes implemented strengthen the CIA triad and refocus internal teams. As the CIA triad matures, the culture improves its security readiness programs and becomes “cyber-focused.”

Invest In Situational Awareness

Every security environment has challenges and uncertainties, including cyberattacks, risk failures and human error. However, each can be significantly reduced when leadership knows the operational environment and uses situational awareness to build a “cyber-focused” company culture. When achieved, their teams can counter risks, attacks and adverse events.

Predicting when, where and how cyber incidents occur requires advanced knowledge. When appropriately used, leadership can promote situational awareness for themselves and their teams.

Situational awareness is an approach that integrates environmental knowledge into decisions. Information about IP address schemes, known threats, system availability or tool capability is defined as environmental knowledge. Cybersecurity utilizes this information to respond to and counter adverse events. Based on the event type and historical knowledge, leadership can make accurate and timely decisions, and cyber defenders can quickly identify security gaps and violations.

The most effective strategy for using situational awareness is through capabilities, weaknesses and strengths (CWS). This methodology can provide leadership with the tools, skill sets and conducive conditions to guide their internal teams.

• Capability refers to the cybersecurity actions an organization can take based on its skill sets, talent, resources and assets.

• Weaknesses are defined as vulnerable areas within the enterprise. Understanding weaknesses helps determine where risk treatment should occur.

• Strength describes the organization's level of protection. As the organization's protection level increases, its weaknesses decrease.

When invoking CWS, leadership can determine where to place security services or make changes. When it's communicated to your teams, they can navigate cybersecurity and determine which tool or service can block malware, identify intrusions or capture log data. And they can quickly react when situations reoccur.

Providing Cyber-Focused Leadership

Many technology professionals struggle with providing leadership. It's challenging because technology is partially business and partially technical. Invoking principles such as RAA and CWS can help leaders understand their roles and develop strategies for advancing cybersecurity. This is a significant element in developing a cyber-focused company culture.

Several solutions are available that could help leadership integrate RAA and situational awareness. When speaking at events, I often discuss how executive leadership can develop themselves through self-assessments. Many have used control self-assessments (CSA) to determine where weaknesses occur and improvements are required. The same can also be achieved with cybersecurity cultures.

The CSA results can help leaders understand where gaps are arising. The first assessment should determine whether cyber defenders understand the RAA theory and whether leadership effectively communicates best practices. Next, does the team utilize best practices, and for what specific situations? The last area should focus on whether employees understand the company's cybersecurity capabilities and where, when and how they should be used. If the CSA is used appropriately, leadership can determine the strength of their CIA triad and leadership style.

Executive leadership should strive to develop the “hackers' mindset” in technology teams, and integrate it into board meetings and decision-making. This is the security route that leads to a cyber-focused company culture. Let’s start leading from the front line!

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Council Post: Developing A Cyber-Focused Company Culture Through Leadership (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Tish Haag

Last Updated:

Views: 5279

Rating: 4.7 / 5 (67 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Tish Haag

Birthday: 1999-11-18

Address: 30256 Tara Expressway, Kutchburgh, VT 92892-0078

Phone: +4215847628708

Job: Internal Consulting Engineer

Hobby: Roller skating, Roller skating, Kayaking, Flying, Graffiti, Ghost hunting, scrapbook

Introduction: My name is Tish Haag, I am a excited, delightful, curious, beautiful, agreeable, enchanting, fancy person who loves writing and wants to share my knowledge and understanding with you.