As the Capital One Breach Proves, Effective CISO Leadership Starts with Culture
Brian Thomas | August 30, 2019
As the fallout from the Capital One data breach continues, new lessons are being learned. Although technical failings were at the heart of the breach, a recent article in the The Wall Street Journal points to a series of overlooked issues that produced perfect storm conditions for the attack.
Notably, the Capital One hack did not come out of the blue. Before the breach, “…employees raised concerns within the company about what they saw as a high turnover in its cybersecurity unit and a failure to promptly install some software to help spot and defend against hacks.” The unit has also cycled through senior leaders and staffers, with about a third of its employees leaving in 2018 alone.
Prior to the breach, Capital One “stood out among banks as a place where top technology talent wanted to work,” was generous with its cybersecurity funding, and had a game plan for anticipating hacks. Despite this, in recent years routine cybersecurity measures apparently began to fall by the wayside. Meanwhile the CISO, who came to Capital One from the public sector, clashed with employees, many of whom left for comparable jobs elsewhere.
With cybersecurity skills in high demand and companies ready to poach top-tier talent, poor leadership and a toxic culture can quickly lead to employee retention issues. Employees hold the upper hand; they can go wherever they like and name their price — and take their security expertise with them. That’s a risk that no company striving for top-tier cybersecurity can afford to take.
Great technology skills won’t solve cyber problems
The role of a security leader carries enormous responsibility and requires expansive thinking that goes beyond the tactical nuts and bolts of IT. The most sought after CISOs aren’t just high technical performers (or, at least, they shouldn’t be). As security becomes more of a business and less of a technical function, leadership and management skills have become increasingly valuable attributes that aspiring CISOs need to develop as they look to advance their careers.
More than tacticians, CISOs must understand the company’s strategic roadmap and translate that into a risk management strategy that aligns with the wider goals of the company. He or she must also find, hire, and retain the right people to execute that strategy and create a culture where employees are trusted and empowered to be the “on-the-ground” technical and tactical experts.
To quote Steve Jobs: “It doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.”
There’s no free pass to the C-suite
The possession of technological expertise should not give aspiring CISOs a free pass to the C-suite, neither should company executives turn a blind eye to the leadership failings of CISOs who already have a seat at the table. Such disqualifications would not be tolerated in any other C-suite role and can quickly lead to employee dissatisfaction, attrition, and even catastrophic cyber risk.
Likewise, C-suite executives must carefully consider whether or not their CISOs are an appropriate cultural fit for their industries and organizations. Ascertaining whether or not someone is going to work well as a team player is notoriously difficult, but there are some things to watch out for.
For example, just because someone did a fantastic job at managing cybersecurity in one industry doesn’t mean that they’ll be able to make a smooth transition to another. Corporations can have a much different atmosphere and reporting structure than, for instance, organizations in the public sector. Executives looking for a CISO need to look beyond their technical chops and do their best to gauge their intangible qualities. As the Capital One incident taught us, these qualities can often make or break a company’s ability to maintain a top-tier cybersecurity posture.
In short, if CISOs are to counter the daily threats their organizations face, their teams must be functioning at their best — and this requires strong leadership that works in tandem with their team, not against them. Without it the outcomes can be costly to a company, and to the career of the CISO.
Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security...
Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...
In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional...