As organizations strive to ensure the Confidentiality, Integrity and Availability of their systems, they go out of their way to hire Cyber security professionals (I.T Manager) to help fast track the process. These professionals when hired most of the time forget the primary role of the business.
It’s imperative that security professionals remember that they perform a supporting service for the organization and not that critical a role (Unless it’s an I.T Security company). While cybersecurity is extremely important, most of the time it’s not the main reason for the existence of the business.
In the founding stages of every organization, a mission and vision are created for pave the direction of the business to a specific destination. Security is just one of many tools that help the organization to reach the destination.
Cybersecurity professionals need to think of themselves as leaders and not managers. The difference between leadership and management has always remained a thin line with very many managers thinking that they are leaders. If you are one of those that cannot differentiate the two, refer to Stephen R Covey’s Seven Habits of Highly Effective People. Or read these articles from Forbes and Next Generation. In this article, we shall focus on cybersecurity leaders.
Security Leaders should think of themselves as operating in two different roles. Without a doubt, they’re the experts in the organization on issues of confidentiality, integrity, and availability. They will be looked at in matters of security leadership and the protection of information assets, response to security incidents, and other typical security functions.
In a secondary, equally important but often forgotten role, Security Leaders must also be Business Leaders, who understand the primary mission of the organization, including both its strategic objectives. It is important that such leaders understand the short-term and long-term goals of the organization, and be able to impeccably switch between their roles, thinking as both Security Leader and Business Leaders.
The reason that these two roles are vital, is that security controls can frequently be a barrier to the efficient operation of the business. Security professionals must then tackle a challenge which entails that they must design a control environment that manages the risks facing the organization, but balances security against other business considerations. And that right there is the nip in the flesh.
A Security leader needs to watch out for scenarios that attempt to push the business role out view when making decisions in the security role, that can have a disproportionately negative impact on the business.
Let’s say you have just finished your annual penetration test and you have discovered glaring gaps in your security. Following the pen tester’s recommendations, you may need to set up new controls and overhaul some systems. The challenge comes when proposing a new security control. Security leaders often need to present a business case for that control that justifies the investment of time and money in the new control, as well as providing a solid basis for the impact on end users.
Security leaders need to keep in mind the security and business roles in addition to the three goals of information security, confidentiality, integrity, and availability. After this has been considered, you can then write out and thoroughly explain to the CEO the investment required to implement the control and the expected return on that investment.
In another state of affairs where security leaders must take on the role of a business leader. This will often come in the form of the many administrative tasks that are required of any leader in the organization. These will include but not limited to making a budget and an accompanying workplan for that budget, conducting performance reviews and evaluations, managing employee issues, and contributing to the organization’s strategic planning processes. These non-security responsibilities are an important part of the information security professional’s contributions to the broader organization. And they help maintain a solid connection to the rest of the business.