It’s important to think about leadership in the cybersecurity realm through the lens of the “lines of defense” model. If you are a leader that is executing in the first line of defense (1LOD), then your job is the proper and timely execution of control activities (processes and technologies) to ensure that your organization is properly protected. If, however, your job is in the second line of defense, (2LOD) then you need to make sure that you have thoroughly communicated the risk associated with various actions (and lack of action) to decision-makers so that they can make an informed decision.
This clarity is often muddled as most cybersecurity organizations find themselves operating in what is often called the 1.5 line of defense. They operate some controls: data loss prevention (DLP), endpoint detection, protection, and response (EDPR), intrusion detection, and incident management. However, they also are frequently responsible for reviewing configurations and patching, as well as involved with features and capabilities of applications, infrastructure, and third-party organizations, and advising on the good, the bad, and the ugly therein.
Being an effective cybersecurity leader while working in the 1.5 line of defense is about maximizing two distinct, yet opposing, principles. First, you have to manage cybersecurity operations as if you can 100 percent, absolutely defend the organization from every bad thing that can befall it. Staff in these organizations need to know that they have the ability to prevent attacks from happening and can catch the perpetrators in their tracks. They need to know that you are going to invest in them, their training, and their capabilities to ensure they can protect the organization.
At the same time, you have to know that, on a long enough timeline, everyone fails. There will be mistakes made by people in the organization or by business partners. You won’t be able to get funding for all the resources and technologies you need to mount the best defense. You may be attacked by someone who has the capability to overwhelm your defenses, despite all efforts to the contrary. Lastly, the threat and vulnerability landscape changes so often that there can be hidden holes in your defenses that might not come to light until after it is too late.
Being an effective cybersecurity leader means helping your staff avoid the burnout, guilt, and depression that comes from not getting the headcount needed, the funding for the new project, or worse yet, experiencing a data breach when the inevitable comes to pass. To lead effectively, you as a leader need to employ the principle of ensuring informed decisions happen and residual risk is accounted for and governed. The business doesn’t have to invest in every security solution available (in fact, doing so may impede their ability to effectively operate), so long as you have appropriately informed stakeholders of the bad outcomes that could come to pass from not choosing the more secure option, and having them accept the risk associated with such bad outcomes.
Risk acceptance is the cybersecurity leader’s “get out of jail free” card – not in an “I told you so” way, but in a cooperative manner that helps the business view you as a partner, not an impediment, and the cybersecurity staff feel as though their concerns have been addressed.
About the author: Jack Freund, Ph.D., CISA, CISM, CRISC, is Director, Cyber Risk Management for TIAA, member of the CRISC Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.
