The Cyber Leadership Gap

And we thought the cyber personnel gap was huge

(Note: All opinions are my own)

Webster’s defines “leadership” as:

1. the position or function of a leader, a person who guides or directs a group:

2. ability to lead:

3. an act or instance of leading; guidance; direction

4. the leaders of a group:

In the cyber world, leadership tends to be understood as positions like CIO, CISO, CTO, IT manager, and so on. However, for the majority of small and medium businesses, the likelihood they have this level of leadership within their organization is pretty unlikely. Cyber leadership is expensive. For example, the average Chief Information Security Officer's salary is about $240,000. For companies with strict margins, it is nearly impossible to afford these positions. But that isn’t even the big problem. The bigger problem is the lack of personnel within the cyber universe with the skill set, experience, or willingness to take on cyber leadership roles. I also believe a significant gap revolves around defining exactly what cyber leadership is and how it is defined within the concepts of cybersecurity.

So let me take a stab at defining leadership within cybersecurity. Cybersecurity leadership involves guiding and directing the strategy, policies, and procedures to protect a company’s digital assets from cyber threats. This role is crucial in today’s business world, where cyber threats are constantly evolving and can have significant impacts on privacy, finances, national security, and the confidentiality, integrity, and availability of your business’s digital crown jewels. Here's a breakdown of what cybersecurity leadership largely entails:

1. Strategic Vision and Planning: Cybersecurity leaders must develop a clear vision and strategic plan for their organization's cybersecurity posture. This involves understanding the evolving threat landscape, assessing organizational vulnerabilities, and prioritizing resources to mitigate cyber risks.

2. Policy Development and Implementation: Establishing cybersecurity policies and ensuring their implementation across the organization is a crucial cybersecurity leadership trait. This includes setting standards for data protection, network security, incident response, and employee cybersecurity training.

3. Risk Management: Leaders in cybersecurity are responsible for identifying, assessing, and managing cyber risks. They need to balance the protection of information assets with the organization’s operational needs.

4. Incident Response and Crisis Management: In the event of a cyber incident, leaders must be prepared to manage the response effectively. This includes having a well-practiced incident response plan, coordinating with internal and external stakeholders, and mitigating the impact of the breach.

5. Team Leadership and Development: Cybersecurity leaders are responsible for building and maintaining a skilled team. This includes hiring, training, and retaining cybersecurity professionals and fostering a culture of continuous learning and improvement.

6. Stakeholder Communication and Collaboration: Effective leaders communicate cybersecurity issues and strategies to a range of stakeholders, from technical teams to board members. They also collaborate with external entities, like law enforcement, regulatory bodies, and other organizations, to enhance cybersecurity measures.

7. Technology and Trend Awareness: Keeping abreast of the latest cybersecurity technologies and trends is essential. This helps in making informed decisions about adopting new tools and practices to strengthen the organization’s cybersecurity defenses.

8. Compliance and Legal Awareness: Understanding and adhering to relevant laws, regulations, and industry standards is a critical skill. Cybersecurity leaders must ensure their organization complies with regulations like GDPR, HIPAA, or others pertinent to their sector.

9. Ethical Considerations: Leaders must navigate the ethical implications of cybersecurity practices, ensuring that actions to protect the organization also respect privacy rights and ethical norms.

10. Mentoring: A crucial skill for any leader is training their successors. This includes knowledge-sharing, skill-building, and providing career guidance.

Unfortunately, in addition to there being a huge skills gap in cybersecurity, the leadership gap is even more significant. Finding individuals with the ability to lead teams of varied skill, competence, and experience, the ability to provide a strategic framework as it pertains to cybersecurity, and the willingness to mentor others is like finding a needle in a stack of needles under the best of circumstances. Within the cybersecurity world, these unicorns are few and far between, because it is not something that is easily trained for. And not everyone is or should be a leader (but that may be a topic for a future article). The cybersecurity world needs leaders, they are out there, but the good ones are hard to find.

So what is the solution to this gap for SMB owners as this gap is likely to only get wider? Well here are a couple of ideas:

1. Outsourcing and Managed Security Services:

   • What this is: Many SMBs may not have the resources to employ a full-time cybersecurity leader. Outsourcing to managed security service providers (MSSPs) or external leadership consultants (like vCISO-type providers) can fill this gap. These providers offer a range of services, from monitoring and managing security operations to strategic security planning.

   • Benefits: Access to a team of experts, reduced costs compared to in-house teams, and continuous monitoring and response capabilities.

   • Implementation: Select an MSSP, or leadership consulting entity that understands your industry and specific business needs. Ensure they have a proven track record and clearly define the scope of services and response times in your contract.

2. Cross-Training and Upskilling Existing Staff:

   • Description: Developing cybersecurity skills within the existing workforce can help bridge the leadership gap. This involves identifying employees with the potential and interest in cybersecurity and providing them with the necessary training and resources.

   • Benefits: Builds a culture of security awareness, leverages existing knowledge of the business, and can be more cost-effective than hiring new staff.

   • Implementation: Invest in training programs, certifications, and workshops for staff. Encourage a learning environment where employees can gain hands-on experience in cybersecurity roles.

3. Strategic Partnerships and Collaborations:

   • Description: Forming strategic partnerships with other businesses, industry groups, or academic institutions can provide SMBs with access to cybersecurity expertise and resources. This can include shared security services, information sharing about threats, and collaborative development of best practices.

   • Benefits: Cost-effective access to a broader range of expertise and resources, staying informed about the latest threats and trends, and strengthening overall cybersecurity resilience.

   • Implementation: Join industry-specific cybersecurity alliances or groups, collaborate with local universities or cybersecurity firms, and participate in shared cybersecurity initiatives.

If you are a Small Business owner you need to understand the need to have a form of leadership that helps you create a cybersecurity culture that can protect your business, your employees, and your digital crown jewels.

I am available to help you work through this strategic need, that is crucial to your company’s cyber success and safety. You just need to ask.