As business leaders, we’ve been coached to avoid seeing things solely in black-and-white terms, and to strive for a more nuanced, contextualized view of problems and opportunities. But sometimes, when it comes to ensuring a stronger cybersecurity posture, things really do boil down to “yes” and “no.”
Yes, providing good cybersecurity defenses for your organization is really hard, probably harder today than ever—and likely even harder in the future. Yes, we will all need more resources to achieve a stronger security posture, with more teamwork and more creativity.
No, it doesn’t have to be insurmountable, with cybersecurity leaders fixating on problems and excuses. No, we don’t have to become victims of our circumstances or our organization’s limitations.
We security leaders can win this fight. But not without a change in strategy. And that strategic shift begins with a shift in mindset.
As much as escalating complexity is a fact of life in cybersecurity for both technical and non-technical executives, I believe—no, I know for a fact—that the overwhelming majority of attacks occurring today can and should be prevented without wringing our hands, begging for unlimited funds and getting approvals to hire more staff (which we probably won’t be able to find, anyway). After years or even decades of fighting a tough fight against a committed, clever and well-resourced adversary, perhaps it’s time to remember the words of Franklin Delano Roosevelt: “All we have to fear is fear itself.”
Don’t fear cyberattacks. Respect them, be wary of them and prepare for them. As important as investing in the right technologies, services and staff are, success begins and ends with having the right mental approach to the problem.
3 Steps To Preventing Cyber Attacks and Overcoming Threats Today
Chief information security officers (CISOs) and other senior cybersecurity executives need to step up with a concerted, back-to-basics approach to winning the escalating battle against attackers. That defense requires hearty collaboration among the CISO’s team, the IT organization, end users, the C-suite business leaders and the board. So fundamentally, preventing cyberattacks relies on the cybersecurity leadership’s ability to gain the confidence and trust of all around them.
Building this trust requires a “Team First” mentality as well. Make sure that your team includes not only members of the security team, but also members of all of your peer teams, your suppliers, and members of company leadership and the board. You can do none of this without a strong team!
There are three key ideas that help ensure you build the trust you need;:
- Focus maniacally on the goal, and block out distractions. All too often we allow ourselves to lose focus by doing things that are tangential to our core mission—keeping our organizations “digitally safe.” It takes a lot of effort to block out distractions, especially when many of them seem to be relevant and even valuable. Take industry conferences, for instance. Before the pandemic, it seemed like there was a security conference, seminar or trade show every week. Even as those in-person events transitioned to virtual, it still was easy to attend or even speak at tons of conferences. While those events often have value, you can spend far too much time on them. Even writing this article takes time and energy, and I have to constantly check myself to ensure I’m devoting the right resources to my main job.
- Selling is not “beneath you.” Good salesmanship is a hallmark of cybersecurity leadership. Selling is not just for salespeople. We all have to sell—our ideas, our proposals, our recommendations, our cautions—to get what we need. In a way, my current situation is a bit unique, in that I work for a company where management is inclined to give me what I tell them what I need. That’s due both because (A) they understand the intrinsic threat of cyberattacks, and (B) I usually don’t over-sell. So when they hear me coming to ask for something, they know we’ve done our due diligence and we believe—strongly—that we’re asking for something to support the organization’s core mission.
- Politics is not a dirty word, because you have to build unshakable coalitions inside and outside the organization. Being politically savvy requires many of the same skills as good salesmanship, in that you need to be thoughtful and persuasive, understand how your need fits into the big picture and be unafraid of making bold, aggressive recommendations if that’s what’s required. The difference is that you need alliances—internal and external political alliances—in order to keep you from having to oversell your proposal to get it taken seriously. Internally, you need the support and confidence of business leaders, both in the C-suite and among rank-and-file stakeholders who have to pay for your proposals. Externally, you should build relationships with industry groups, regulators, channel partners, customers, law enforcement and any other people or group that influence how you and your team are perceived.
How This Works in the Real World
Let me give you an example of an error in judgement I once made, and how I learned from it. I previously led cybersecurity at a software company where security, while important, was not typically at the top of the list when it came to business initiatives. I am hardly alone in saying that software development leaders often regard security functionality as fine, except when it is perceived to either impact development schedules or create a perceived “friction” among users of the software.
The person who I replaced wasn’t aggressive when it came to pushing for Important, well-researched investment proposals. They would ask once, and if turned down, they wouldn’t push any farther. So when I got there, I didn’t realize that executive leadership and software engineering expected me to follow the same pattern. Mistake number one by me, for not understanding the political reality.
I felt the organization needed to commit to a new approach, a more aggressive posture when it came to security. On the day of my proposal to management and the board, I was ready. My proposal was crammed with data, diagrams and stories, and I pitched my heart out. But my impassioned pitch was met with…crickets. Members of the executive cabinet took the opportunity to change the agenda more towards their desired outcomes. I completely lost the room and wasn’t taken seriously. I received one lukewarm question, was thanked for my time, and everyone filed out of the room. I was crestfallen, and confused. Mistake number two by me, for not understanding the dynamics, attitudes and biases of the audience I was selling to.
As everyone was leaving the meeting, I asked the COO to hang back for a minute. “What did I do wrong?” I earnestly asked. Thankfully, he gave it to me straight. “You asked us to build the Taj Mahal, and we really don’t think we need all that.” This was a huge lesson for me—my approach to my presentation was all wrong, and it wasn’t just in my salesmanship in that room. I had also let the team down by not understanding the rules and how we could be successful inside the dynamics of those rules. I didn’t realize that we could only get to our goals with a measured, incremental approach, even if the reason they hired me was an acknowledgement was that things were broken and needed to be fixed. In hindsight, I think the organization believed that things were “okay” because of how previous leadership had approached selling security.
Instead of trying to boil the ocean (and get the company to pay for my perceived extravagance), I decided to carve out one thing that would make a difference. That wasn’t an acknowledgement that I needed to be timid, quite the opposite in fact. My goal was 100% correct, but my tactics were wrong. I took my scaled-down initiative, got approval and the team knocked it out of the park in the implementation phase. That success gave us more credibility to do another phase of the project, then another…and before long, we had built a very successful program to protect the business.
Lessons We All Need to Learn to Achieve a Stronger Cybersecurity Posture
It’s one thing to set a bold agenda and create a more aggressive posture around cybersecurity. But if you can’t get it approved and implemented, what’s the point? Here are a few lessons learned to help you adopt the right mindset.
First, keep in mind that good security is mostly about visibility. And by visibility, I mean both being able to see and understand the cyber risks, and to give your leadership visibility into both the risks and the solutions. Finding ways to illustrate risk-reward is critical. This is also very difficult; lean on your peers and suppliers to help.
Second, don’t try to do everything at once. That may sound like the opposite of adopting an aggressive mindset, but you need to stay focused on the end goal, which can only be achieved through a rational road map. It might take a bit longer than you’d hope for, but it’s the best way to accomplish big goals. If you show leadership a positive return on one project, getting the next one or three approved gets easier.
Finally, concentrate on risks and rewards. If someone in one of our business units wants to take critical infrastructure data and put it in the cloud rather than in an on-premises environment, you have to be prepared to provide your own guidance based primarily on risks and rewards. Only through a sober, data-driven analysis of pros and cons can you make security decisions that move the needle.
Gary Johnson is senior director of security and infrastructure at Evergy, a major investor-owned electric utilities provider.