Common Leadership Disconnects and Leading Security through Hard Times – BSW #297
In this week's leadership and communications segment, we discuss overemphasizing metrics, delegation drawbacks, security culture starts at the top, and succeeding in security with economic insecurity.
We’d like to invite our listeners to be part of our 2023 SC Awards!
Our prestigious and competitive SC Awards program recognizes outstanding innovations, organizations, and leaders that are advancing the practice of information security. This year, there are awards in 36 categories up for grabs, including best IT security-related training program, innovator of the year, best SASE solution, and more. We’d love to see your company in the spotlight!
Visit securityweekly.com/scawards to submit your entries by March 20!
- 1. You can’t lead a team with a spreadsheet.
"Managers love their metrics." KPIs are nice, because tracking a few key metrics is easier than trying to track everything. Leads to a common failure cycle: 1. set a few key metrics 2. problem occurs that isn't captured by these metrics 3. add new metric to track 4. GOTO 2
Two foundational problems that metrics can't solve: 1. Humans optimize rewards (metrics can and will be manipulated) 2. The map is not the terrain (many important business factors aren't quantitative)
Bottom line: you CAN lead a team with a spreadsheet, but that's effectively outsourcing the hard job of leadership, which can't be measured with a spreadsheet.
- 2. The Delegation Traps
Three traps to watch out for, when delegating more than usual: 1. The "one more task wouldn't hurt" trap: overworking your delegates 2. The "out of touch" trap: losing perspective after delegating for too long 3. The respect trap: keeping all the "good" tasks for yourself breeds resentment
- 3. How to Solve the People Problem in Cybersecurity
Where the "people problem" refers to the difficulty of getting employees to take security seriously if it clearly isn't a priority at the top of the organization.
Three keys to solving the people problem: 1. Understand the business value of cybersecurity 2. Create a culture of cybersecurity 3. Allocate the resources
- 4. Economic pressures are increasing cybersecurity risks; a recession would amp them up more
A tale of three articles on leading security in a recession - which one gets it right? All of them? None of them?
Article 1 says: 1. Economic downturns historically see increasing attacks 2. Layoffs heighten security risks 3. Attacks already at a high 4. Prioritize based on current risk
- 5. The role of security in times of economic uncertainty
Security in a recession, article 2 of 3 1. Align security to business goals 2. Practice business acumen as a CSO 3. Maximize security strategies and technology 4. Work with security partners 5. Bolster insider risk programs
- 6. With a recession looming, security leaders should plan for the impact
Security in a recession, article 3 of 3 1. Focus on a robust risk management program 2. Prioritize third-party risk 3. Know and prioritize attack surfaces 4. Maximize existing investments 5. Security awareness is still essential