As the Capital One Breach Proves, Effective CISO Leadership Starts with Culture

As the fallout from the Capital One data breach continues, new lessons are being learned. Although technical failings were at the heart of the breach, a recent article in the The Wall Street Journal points to a series of overlooked issues that produced perfect storm conditions for the attack.

Notably, the Capital One hack did not come out of the blue. Before the breach, “…employees raised concerns within the company about what they saw as a high turnover in its cybersecurity unit and a failure to promptly install some software to help spot and defend against hacks.” The unit has also cycled through senior leaders and staffers, with about a third of its employees leaving in 2018 alone.

This kind of attrition is increasingly commonplace in security practices and has emerged as one of the biggest threats to corporate security. Studies show that, burnout and attrition in the security operations center (SOC) — often due to alert overload, long hours, and incomplete visibility into systems and threats — is contributing to a growing cybersecurity skills shortage. But, as the Capital One case proves, other factors are often at play.

Prior to the breach, Capital One “stood out among banks as a place where top technology talent wanted to work,” was generous with its cybersecurity funding, and had a game plan for anticipating hacks. Despite this, in recent years routine cybersecurity measures apparently began to fall by the wayside. Meanwhile the CISO, who came to Capital One from the public sector, clashed with employees, many of whom left for comparable jobs elsewhere.

With cybersecurity skills in high demand and companies ready to poach top-tier talent, poor leadership and a toxic culture can quickly lead to employee retention issues. Employees hold the upper hand; they can go wherever they like and name their price — and take their security expertise with them. That’s a risk that no company striving for top-tier cybersecurity can afford to take.

Great technology skills won’t solve cyber problems

The Capital One case shines a spotlight on a pervasive problem in security organizations — that people and cultural problems can compound cyber risk.

The role of a security leader carries enormous responsibility and requires expansive thinking that goes beyond the tactical nuts and bolts of IT. The most sought after CISOs aren’t just high technical performers (or, at least, they shouldn’t be). As security becomes more of a business and less of a technical function, leadership and management skills have become increasingly valuable attributes that aspiring CISOs need to develop as they look to advance their careers.

More than tacticians, CISOs must understand the company’s strategic roadmap and translate that into a risk management strategy that aligns with the wider goals of the company. He or she must also find, hire, and retain the right people to execute that strategy and create a culture where employees are trusted and empowered to be the “on-the-ground” technical and tactical experts.

To quote Steve Jobs: “It doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.”

There’s no free pass to the C-suite

The possession of technological expertise should not give aspiring CISOs a free pass to the C-suite, neither should company executives turn a blind eye to the leadership failings of CISOs who already have a seat at the table. Such disqualifications would not be tolerated in any other C-suite role and can quickly lead to employee dissatisfaction, attrition, and even catastrophic cyber risk.

Likewise, C-suite executives must carefully consider whether or not their CISOs are an appropriate cultural fit for their industries and organizations. Ascertaining whether or not someone is going to work well as a team player is notoriously difficult, but there are some things to watch out for.

For example, just because someone did a fantastic job at managing cybersecurity in one industry doesn’t mean that they’ll be able to make a smooth transition to another. Corporations can have a much different atmosphere and reporting structure than, for instance, organizations in the public sector. Executives looking for a CISO need to look beyond their technical chops and do their best to gauge their intangible qualities. As the Capital One incident taught us, these qualities can often make or break a company’s ability to maintain a top-tier cybersecurity posture.

In short, if CISOs are to counter the daily threats their organizations face, their teams must be functioning at their best — and this requires strong leadership that works in tandem with their team, not against them. Without it the outcomes can be costly to a company, and to the career of the CISO.

Learn about the need for C-Suite transformation amidst increased security and cyber risk.