May 8, 2017 By Derek Brink 3 min read

As an introduction to the topic of cybersecurity leadership in transition, indulge in a quick story:

A CEO tells of the time he discovered that the employees in the shipping department were putting a blank sheet of paper in every box, just before it was sealed up and sent off to customers. Their only explanation was, “We don’t really know why; it’s just something that we’ve always done.”

Upon investigation, it turned out that someone had decided several years before to put a standard letter from the company in every outbound box to thank customers for their business and provide contact information. The problem was that when the supply of letters ran low, the employees in the shipping department would simply replenish it by making photocopies. In those days, however, each successive generation of photocopy was lighter and a little less legible. Eventually, employees were putting a blank sheet of paper in every box.

Activity Versus Value in Cybersecurity Leadership

The moral of the story is that in any type of business function, including cybersecurity, it’s not only about what we do, but it’s also about providing value. Or, as a different CEO was fond of saying to his senior management team, “Let us not confuse activity with results.”

We can see this confusion clearly in the ongoing transition of cybersecurity leaders, who must exhibit proficiency in both of two distinct roles: subject matter expert and trusted advisor.

The current generation of cybersecurity leaders came up through the technical ranks, and many of them struggle with the skills needed to bridge the gap between technical knowledge and the business-savvy skills necessary for a trusted advisor.

Subject matter expertise is still the foundation, but the trusted advisor role is coming on strong. These two roles of next-generation cybersecurity leadership have a critical dependence on strong communication skills, both written and verbal. Complex technical information needs to be translated into a form that business decision-makers can understand, evaluate and take action on, and decisions about cybersecurity risk are ultimately business decisions.

Listen to the podcast: Directors Are From Mars, CISOs Are From Venus

A View From the Classroom

From the perspective of an adjunct faculty member in master’s degree programs at two well-known universities in Boston, these changing requirements for cybersecurity leadership are definitely seeping into the curriculum. Just a few years ago, courses were typically described as predominantly technical, in a practical way. They aimed to give aspiring cybersecurity leaders enough exposure to the technical details to understand and evaluate what hands-on technical experts were telling them.

Over time, a growing number of courses began to include the trusted advisor aspect of cybersecurity leadership, with a heavy emphasis on addressing three persistent challenges related to identifying, assessing and communicating effectively about security-related risks.

These courses are popular in terms of enrollment, but perhaps the most interesting trend is in the profile of the students who sign up. It’s no longer dominated by males with strictly technical backgrounds; today’s classes are much more diverse, and students are bringing perspectives and experiences from a much broader range of industries and functional disciplines.

Making the Grade

In many ways, the diversity of student backgrounds requires a significant change in traditional teaching practices. As a specific example, the deep-seated confusion between activity and value has to be torn down and rebuilt. One way to do this is to ask students to introduce themselves to the rest of the class using just two slides to describe what they do and what value they provide.

Not surprisingly, every student does a pretty good job at describing what they do. But shockingly, over multiple courses at both universities, not one student accurately described his or her value. Instead, students talked about:

  • Their activities, in even more detail;
  • Things they’re especially good at (e.g., “I’m a good problem-solver”); and
  • They way they think they’re perceived (e.g., “I’m the go-to guy for such-and-such”).

More shockingly, even after explaining the difference between what we do and what value we provide, aspiring cybersecurity leaders have a skewed view of these fundamental points. When asked to rate how easy it is to talk about activity and value on a scale of 1 (extremely difficult) to 5 (extremely easy), about 2 out of 5 students — 41 percent — reported that both were easy. Keep in mind, however, that not one of them actually got it right.

The other 3 in 5 felt that describing activity was easy, but describing value was hard. In general, there’s not only a pervasive misunderstanding about cybersecurity risk that needs to be turned around, but also a prevailing overconfidence that needs to be calibrated.

Virtually all students struggle to bridge the gap between the technical details of cybersecurity activities to the value of helping make better-informed business decisions about cybersecurity risks. The good news, however, is that they all get better with repetition and practice.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today