As an introduction to the topic of cybersecurity leadership in transition, indulge in a quick story:
A CEO tells of the time he discovered that the employees in the shipping department were putting a blank sheet of paper in every box, just before it was sealed up and sent off to customers. Their only explanation was, “We don’t really know why; it’s just something that we’ve always done.”
Upon investigation, it turned out that someone had decided several years before to put a standard letter from the company in every outbound box to thank customers for their business and provide contact information. The problem was that when the supply of letters ran low, the employees in the shipping department would simply replenish it by making photocopies. In those days, however, each successive generation of photocopy was lighter and a little less legible. Eventually, employees were putting a blank sheet of paper in every box.
Activity Versus Value in Cybersecurity Leadership
The moral of the story is that in any type of business function, including cybersecurity, it’s not only about what we do, but it’s also about providing value. Or, as a different CEO was fond of saying to his senior management team, “Let us not confuse activity with results.”
We can see this confusion clearly in the ongoing transition of cybersecurity leaders, who must exhibit proficiency in both of two distinct roles: subject matter expert and trusted advisor.
The current generation of cybersecurity leaders came up through the technical ranks, and many of them struggle with the skills needed to bridge the gap between technical knowledge and the business-savvy skills necessary for a trusted advisor.
Subject matter expertise is still the foundation, but the trusted advisor role is coming on strong. These two roles of next-generation cybersecurity leadership have a critical dependence on strong communication skills, both written and verbal. Complex technical information needs to be translated into a form that business decision-makers can understand, evaluate and take action on, and decisions about cybersecurity risk are ultimately business decisions.
Listen to the podcast: Directors Are From Mars, CISOs Are From Venus
A View From the Classroom
From the perspective of an adjunct faculty member in master’s degree programs at two well-known universities in Boston, these changing requirements for cybersecurity leadership are definitely seeping into the curriculum. Just a few years ago, courses were typically described as predominantly technical, in a practical way. They aimed to give aspiring cybersecurity leaders enough exposure to the technical details to understand and evaluate what hands-on technical experts were telling them.
Over time, a growing number of courses began to include the trusted advisor aspect of cybersecurity leadership, with a heavy emphasis on addressing three persistent challenges related to identifying, assessing and communicating effectively about security-related risks.
These courses are popular in terms of enrollment, but perhaps the most interesting trend is in the profile of the students who sign up. It’s no longer dominated by males with strictly technical backgrounds; today’s classes are much more diverse, and students are bringing perspectives and experiences from a much broader range of industries and functional disciplines.
Making the Grade
In many ways, the diversity of student backgrounds requires a significant change in traditional teaching practices. As a specific example, the deep-seated confusion between activity and value has to be torn down and rebuilt. One way to do this is to ask students to introduce themselves to the rest of the class using just two slides to describe what they do and what value they provide.
Not surprisingly, every student does a pretty good job at describing what they do. But shockingly, over multiple courses at both universities, not one student accurately described his or her value. Instead, students talked about:
- Their activities, in even more detail;
- Things they’re especially good at (e.g., “I’m a good problem-solver”); and
- They way they think they’re perceived (e.g., “I’m the go-to guy for such-and-such”).
More shockingly, even after explaining the difference between what we do and what value we provide, aspiring cybersecurity leaders have a skewed view of these fundamental points. When asked to rate how easy it is to talk about activity and value on a scale of 1 (extremely difficult) to 5 (extremely easy), about 2 out of 5 students — 41 percent — reported that both were easy. Keep in mind, however, that not one of them actually got it right.
The other 3 in 5 felt that describing activity was easy, but describing value was hard. In general, there’s not only a pervasive misunderstanding about cybersecurity risk that needs to be turned around, but also a prevailing overconfidence that needs to be calibrated.
Virtually all students struggle to bridge the gap between the technical details of cybersecurity activities to the value of helping make better-informed business decisions about cybersecurity risks. The good news, however, is that they all get better with repetition and practice.
VP & Research Fellow, IT Security and IT GRC, Aberdeen Group