We frequently talk about leadership roles within organizations and cybersecurity teams. As Kaushal Perera, CISSP explains, effective cybersecurity leadership needs to address much more than just operational matters.

Kaushal Perera, CISSPIn the contemporary digital landscape, characterized by looming data breaches and cyber threats, effective leadership stands as the cornerstone for establishing and upholding a resilient information security framework. Leaders must grasp the importance of their role in shaping organizational culture, set the tone, and make pivotal decisions that establish a strong foundation in information security and continually reinforce it.

Current Threat Landscape

The dynamic nature of the current threat landscape is forcing organizations to focus more extensively on their information security posture. In my opinion, when considering potential threats against them, organizations should no longer focus simply on their sector, industry, or geography. Instead, establishing a robust information security foundation is imperative.

This foundation should be built upon best practices and standards, rather than focusing solely on specific threats, particularly at the initial stage. Then, once the foundation is laid, further improvements may be based on specific threats.

For example, companies should not (and usually do not) assess threats to network computers and implement anti-malware detection tools only on a specific set of computers; rather, it should be the other way around, with anti-malware being a standard deployment for all computers. A company should implement an appropriate malware tool and then extend or add to its features or make further broad improvements based on the threats and risks. In short, once the base is laid and strong enough, companies can build upon it. However, to build the foundation, companies should understand and accept the current position.

Understand the Current Position and Setting the Tone

This is where, in my experience, companies tend to make mistakes. Understanding the initial risks at the foundation level and within the company culture is not an easy task. The best approach is to compare and contrast with best practices, rather than looking mainly at the threat landscape and limiting focus to a particular area. This process aids in understanding gaps and is essential for identifying weaknesses, thereby facilitating the implementation of controls to establish a robust information security architecture as the foundation.

However, when implementing controls, initial resistance may arise from internal staff. This is like the early days of workplace computing. I recall one company where frustrated staff claimed that manual work was easier than working on computers: when initial data input issues arose and they struggled to adapt, they claimed that manual work had never posed such difficulties. Diverging opinions among various staff members may also consume time and effort in reaching agreement and making progress.

Leadership

Leadership of an organization should set the tone when it comes to valuing and prioritizing information security for that organization. When leaders emphasize the need and follow it, employees will – usually – fall into line. In my experience, the bottom-up approach never works for information security.

To ensure success, leadership should understand the risks to their company, the importance of best practices, and the consequences of not prioritizing information security. Ask yourself this: when assessing the risk for a new initiative, if the cost-benefit analysis gives the green light to proceed but the risk-benefit analysis gives you the red light, what do you consider?

This is why leadership must understand the risk, and treat it based on the company’s risk appetite. If the company is willing to accept the risk, a strong basis should be developed to justify the acceptance. There are no shortcuts or workarounds for this.

However, this becomes a complicated issue if the overall picture is not translated holistically into a communicable language for senior management. As a solution, most companies and regulators emphasize the need for having information security representation at board meetings. Yes, some regulators mandate the role of Chief Information Security Officer (CISO), with the right qualifications and expertise. This facilitates a smooth bottom-up information flow, enabling a better understanding of risks, informed decision-making, and effective communication of decisions through a top-down approach to tactical and operational levels.

Culture Change

Changing attitudes is important to changing an organization’s culture. I have seen many people in important roles pay attention to information security needs – especially individuals working in companies in highly regulated sectors. They are fully aware of the benefits of information security for the company, as well as for themselves. Such controls safeguard not only the company, but also its staff. For example: they know that logs ensure accountability for actions taken and safeguard them from malicious activities they have not engaged in.

I have also seen the opposite behavior: network administrators with access to the internet bypassing controls, managers allowing software developers to take source codes home in USB sticks, using their position to bypass access controls while considering it their privilege to do so, etc. This is where leading by example is important, and attitude matters. Leaders who prioritize and demonstrate a commitment to information security foster a culture of vigilance and accountability throughout the organization, and a positive mindset in leaders is crucial for this.

Companies should, for example, update their standard interview questions to understand the attitude of a person towards information security, especially when recruiting staff to IT department and managerial roles in business. It is now normal practice to look for candidates with knowledge and understanding in information security and controls. For example, when recruiting software developers, the companies not only look for expertise in programming languages but also require applicants to have knowledge in OWASP top 10 and secure development practices.

Information security directly connects, and needs direct contribution from, most areas of a business. Human resources, physical security and supply chain security are some of the most direct contributors, thus improvements to people, processes and technology must be considered in these areas as well.

Improvement need not always relate to risk, regulatory requirements, or the output of threat assessment or vulnerability assessment. For example, a process may require improvements to enhance efficiency and effectiveness; this should be looked at in a positive way. But to prioritize such areas, leadership support and setting the tone are vital. Such support helps ensure that information security improvements are prioritized consistently across the company. As a result, all directly and indirectly contributing departments will understand and support the building, improvement, and maintenance of a strong information security posture.

Resource Allocation

Once leadership understands the need for change, changing the culture and mindset is far from easy without adequate resources. It is vital that sufficient human and technology resources should be available to support processes. For example, to maintain continuity, backup personnel should be designated to take over and continue operations when/if the primary person is unavailable.

Lack of staff in critical areas can also lead to risk. Your Security Operations Centre (SOC) must have an adequate number of competent staff to monitor incidents 24/7, avoid reducing the number of staff and relying on junior employees lacking expertise simply to cut costs as this can lead to overlooked incidents and failures in incident response procedure.

It’s certainly the case that manual work can create inconsistencies and integrity issues, leading to vulnerabilities that directly affect the security of data and information. Automation is a key mechanism for improving such processes. Of course, suitable investments should be made in a prioritized manner and only in line with company’s strategic objectives, mission, and risks – not by randomly selecting products and services. Consider basic needs too, such as firewalls, intrusion prevention systems (IPS), antivirus products, authentication and authorization controls, vulnerability and patch management, penetration testing, data loss prevention (DLP), and awareness training.

Note that leadership support is often essential to ensure that such investments are made proactively – before an incident occurs. Remember, too, that when investments are appropriately made to implement robust controls, many incidents are prevented unknowingly. Most of the time, it is difficult to directly calculate and identify a quantifiable Return on Investment (ROI) for investments in information security controls.

Conclusion

Three things greatly influence leaders’ decision-making and increase/decrease the likelihood of failures: the way they consider information security, their understanding of the consequences of not implementing robust controls, and their failure to consider information security as a strategic objective. Set your direction, understand current risks and risk appetite, budget constraints, and invest based on strategic goals. Prioritize investment in technologies, processes and talent that address the most pressing security issues, contributing to the establishment (or maintenance) of a solid foundation and information security posture. Essentially: lead.

Kaushal Perera, CISSP, has over a decade of experience in information security, including hands-on technical expertise in implementing and maintaining information security controls, and specialization in ISO 27001, ISO 20000, and PCI DSS compliance.