Competing in the global marketplace in 2017 doesn’t come easy. Today’s organizations must deal with global competition and innovation, workforce gaps, a pace of disruption that shows no signs of slowing down and the ever-increasing frequency and maturity of cyberattacks. These factors translate into a lot of stress and very little time to determine the best cybersecurity leadership style to keep the organization safe from the barrage of cyberattacks.
Charisma: More Than Meets the Eye
Top leaders often pat themselves on the back when they land a charismatic chief information security officer (CISO) who seems able to grasp the technical complexity of the job and communicate cybersecurity issues in a digestible manner. When the CISO appears to be very charismatic, that’s the icing on the cake. After all, who doesn’t want to listen to a good storyteller, someone with strong magnetism who can clearly and eloquently articulate a vision?
However, the dark side of charisma can impact the CISO’s ability to motivate staff as well as undermine communications about cyber risks. According to Harvard Business Review, a leader’s charisma can gradually shift from a positive to a negative influence within an organization.
Five Stages of Deteriorating Cybersecurity Leadership
The first stage of this process begins when the leader is unreceptive to constructive feedback regarding his or her rationale, choices or actions. This is a subtle shift, but an importance one. Left unchecked, it can lead to the next phase.
A charismatic leader moves into stage two when subordinates begin to avoid saying or doing anything that might result in strong pushback. This self-censure can quickly radiate outward to reach second-level reports and, eventually, the entire set of employees reporting to the CISO.
This tense environment naturally gives way to stage three, in which the CISO is only receptive to supportive interactions. This further solidifies the leader’s skewed sense of self and compromises his or her objectivity. Under these conditions, any reports questioning the effectiveness of a particular security control would be quashed quickly and forcefully.
Stage four brings about further disconnect between the CISO and IT staff, since employees are totally unwilling to do or say anything that could conceivably conflict with the CISO’s preconceived notions. The value of the interactions between the CISO and IT staff have now plummeted into a spiral that can take the entire organization down with it.
The fifth and final stage is characterized by a general sense of cynicism and despair among the IT staff working under the CISO. Employees continue to comply with the CISO’s demands while quietly venting about the nasty state of affairs. Unfortunately, other senior-level executives may be unaware of the extent of the problem or, worse, unable to do anything about it.
Kicking Conformity Bias
CISOs should be mindful of how their own biases can shape future behaviors and negatively impact organizational change. After all, research has shown the desire to conform can influence people to override their own powers of reason and observation. In an experiment described by another article in the Harvard Business Review, 35 percent of individuals accepted the incorrect judgments of the majority regarding the length of a line.
An organization’s culture should emphasize open communication. HBR noted that there should be “a structured method to extract learning from every success and mistake.” Constructive feedback should be encouraged and rewarded as part of the company culture. Furthermore, IT employees should “embrace and challenge” the CISO.
Leaders in the C-suite need to keep a close eye on the leadership style of the CISO. Some CISOs need support and encouragement to overcome the uneasiness of their new seat at the table. Others with strong, single-minded charisma may need to learn how to foster and reward open, honest feedback.
Business books are filled with case studies of leaders whose stubbornness led to their companies’ demise. CISOs are not immune to these flaws, so the rest of the C-suite should pay close attention to the CISO’s leadership style and react accordingly.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato