The Harvard professor John Kotter noted correctly that nowhere is leadership more necessary than in times of great change. Nowhere in our living history have present-day leaders been tested more than they are today when it comes to leading change. In times like these the capacity and character of a leader are truly tested and revealed.
As we face this global pandemic together, we are witnessing some truly great leaders in action. Simultaneously, this situation is revealing some truly unprepared leaders.
In this unprecedented time emerging leaders can learn what it takes to be truly great; from those leaders succeeding and from those struggling. One lesson (hopefully) being learned is that successful leadership is grounded in preparation for the change, not based solely on the reaction to the change. Cybersecurity leaders have perhaps learned this lesson more than other business leaders over the years. To understand why, a bit of background is important.
The Background: From Risk Manager to Cyber Leader
The role of any cybersecurity leader is to enable business operations while preparing for the prospect of risk. Part of this work is ensuring business continuity when a risk becomes realized. Not too long ago, cyber threat was not a risk. At that time, the focus of risk leaders was enabling business continuity if and when a natural disaster like an earthquake, tornado, hurricane, or even a pandemic threatened daily operations and services to customers. Additionally, there has been the need for risk leaders to mitigate against negative implications from physical risk, theft, and the occasional sabotage. Due to the advancement of technologies, how work is conducted, and user expectations, the risk leader and business managers realized the need to ensure preparedness and response to privacy threats that now include compliance protocols such as HIPAA. Extending responsibilities even further, they have become focused on threats against networked devices and personal devices connected at work and at home, including socially mobile applications and cloud-enabled solutions, as well as the Internet of Things. All of this responsibility describes the cybersecurity leader today, not the forecast of what’s next.
Along the journey, the evolution from risk manager to chief information security officer (or trust officer or privacy officer or the like) occurred and became the leadership role that is to help protect and defend against what the National Institute of Standards and Technology (NIST) refers to as the “world of threats.” This includes everything noted above and more, such as website defacement, cloud-based data storage, defending denial of service attacks, data scavenging attacks, wireless sniffers, unauthorized user access, any compromise of mission-critical information, and specific attacks including phishing, malware, eavesdropping, AI-powered attacks, and generally speaking, people. All that to say, a lot has changed in a relatively short amount of time—and certainly more change is on the horizon.
Just a couple of years ago, no one was forecasting 2019 to be “The Year Ransomware Targeted State and Local Governments,” but that is exactly the label placed on last year, according to GovTech magazine. Thinking back on the year, you will likely remember that the Louisiana state government declared a state of emergency after a cyberattack. New Orleans did the same after their attack. Twenty-two towns, cities, and counties were hit with a sophisticated coordinated ransomware attack in Texas. Of course, there was the now-famous hostage situation of the city of Baltimore due to a ransomware attack. Two cities in Florida were also held hostage within a week of one another due to ransomware, and big payments were made. The list goes on and because of the level of such disruption to government business—and the fact that two-thirds of all ransomware attacks in 2019 were targeting state and local government—CISA, MS-ISAC, NGA, and NASCIO came together in July 2019 to broadcast the list of three critical recommendations regarding cybersecurity: (1) Back up your systems daily, (2) Reinforce cybersecurity awareness and education, and (3) Revisit and refine cyber incident response plans. A great list for any cyber leader, but as the great leaders know, there is a capability gap between knowing what to do and how to do it—how to align people, processes, and technologies to get it done and to be prepared.
Aligning People, Processes, and Technologies
To address the growing needs of business (since the 1970s), cybersecurity has risen through the hierarchical ranks to earn a place at the executive table within many organizations. Components of modern cybersecurity can be found in the disaster recovery planning for physical infrastructure, such as roads and bridges; in business continuity and security planning for manufacturing organizations; and in the first versions of internet virus and malware mitigation strategies, which is where cyber was added to risk and security management. Today cybersecurity encompasses an ever-expanding collection of connected services, emerging technologies, application tools, and undefined or unseen threats that can destroy an organization with the click of a mouse. The modern cybersecurity officer must ensure privacy compliance and auditability, network capability, cloud everything, social apps, team apps, personal apps, organization data on personal devices, and support an increasing array of complexity.
Today’s cybersecurity leader must also understand how and where cybersecurity fits into the overall organizational structure, where to say yes and where to say no, without always defaulting to no. Moreover, a cyber leader needs to be proficient in budgeting, balance sheets, human resources, project management, and other organization processes or functions in order to craft the story that conveys how cybersecurity enables every other organization function and to secure the necessary funding to make the security magic happen. In other words, cyber leaders must understand the business from their business partners’ (and users’) perspectives in order to best align people, processes, and technologies that enable their work in protecting and defending the business. This also means that cyber leaders must be able to speak the language of the executive team, board, and customer. It’s a foundational element to translate security and other IT “geek-speak” into words, concepts, and connections that people outside of the cyber professions can understand and use to make decisions on defending and protecting by supporting the funding, process, capability, capacity, and interoperability needs of modern interconnected organizations.
One other factor distinguishing the great cyber leaders of today from previous disaster recovery, business continuity, and internet risk and security leaders—thinking globally even if your organization exists (predominately) locally. Cyber leaders understand that the planet is connected which means both the good guys and the bad guys can reach you with the same minimal effort. Recent attacks and the current pandemic are proof of our interconnected world in which no one has immunity. Cyber leaders think and act on an international scale even if the organization they are protecting does not do business past the county line. Their global awareness combined with organization-level thought processes prepare the organization for what’s next. Even when others cannot yet see the threat, cyber leaders are raising the flag, hardening the digital bunkers, defining the business processes, and educating people at every level. The cyber leader’s actions ensure not only organizational survival, they mitigate risks to increase the odds of organization success, no matter where the next threat is emerging.
Testing People, Processes, and Technologies Against Reality
Plans, processes, and digital bunkers are all necessary; the question is are they sufficient? Nothing tests the readiness of a cyber leader, a team, or an organization like reality. Cyber leaders live in the unenviable world of having to prove a negative. A cyber leader cannot call the CEO every Monday to say, “We did not lose any data over the weekend and the organization was not hacked. See how good I am?!” Rather, it is the unfortunate events at other organizations that prove the negative for cyber leaders, albeit on an irregular and unplanned schedule. A few prime examples can be conjured from memory using just one word for each: Snowden, Target, Equifax, Baltimore. Cyber leaders might call on these examples to support the processes that help them prove the negative through cyber fire drills, penetration testing, simulated phishing attacks, 60-day password policies, and required annual (or better yet, more often) cybersecurity training for all employees and external business partners. In addition, today’s cyber leaders are also being asked to support work from anywhere (WFA) policies, prepare for unknown unknowns, and secure information in places that they may not know exist (e.g., a personal USB drive in a home office, shared team applications, wireless devices such as TVs, phones, and watches).
The current COVID-19 pandemic is also an appropriate measure of proving the negative. Organizations that were prepared for once in a lifetime cyber or business events acted according to plan, moved to WFA, and kept production at or near 100 percent. Unfortunately, many organizations lacking true cyber leadership find themselves reacting to the event and struggling to play catch-up as they work tirelessly to bring production back to 40, 50, 60 percent gradually. Hopefully the lesson learned from the current change in cultures, businesses, and organizations is the reality that once-in-a-lifetime events can occur more than once in a lifetime. Remember Y2K, the Financial Crisis of 2008, and the Year of Ransomware? Combined with COVID-19 that makes four once-in-a-lifetime events in 20 years. Perhaps once in a lifetime is no longer an appropriate term for a planet that is connected 24 hours per day and measures global events in milliseconds. Modern cyber leaders, CIOs, and CISOs accept and live in that world, which is why we need them. They help us defend and respond to threats and risks when realized. They help us to be prepared.
The world will remain a connected place. This kind of world can be risky, but it can also provide insights that could never be grasped in isolation. Cyber leaders will increasingly be responsible for aligning people, assessing new threats, vetting and implementing new technologies, and working with new stakeholders inside and outside the business. Essentially, they enable organizations to succeed, communities to prosper, and individuals to thrive. To realize these conditions means to prepare for threats and to lead in times of great change.
Think about what’s next. We are beyond Y2K. We are beyond the Financial Crisis. We are beyond Snowden, Target, Equifax, and the Year of Ransomware. We will get beyond COVID-19. What will be next? From the extreme to the seemingly mundane, that is a day in the life of a great cyber leader. The great leader works to react to “what’s now” of a random issue and to the “what’s next” of a crisis plan.
Because today’s cyber leaders have earned a place at the executive table, they are also working to manage issues including the economic impacts of a global economy, worldwide supply chain shortages or disruptions, international staffing and personnel risks, as well as changes in geopolitical structures and norms. All or any of which could introduce the next layer of complexity for rapid mitigation to ensure continuity of organization productivity and business success.
Life and work will get back to normal, but it will be a new normal. No industry will be the same after COVID-19. As John Kotter said, “Guiding change may be the ultimate test of a leader—no business survives over the long term if it can’t reinvent itself.” How will your organization be reinvented in light of new political systems, WFA expectations, education industries, conference events, travel guidelines, video conferencing, cloud application use, employee safety protocols, and more? No one is immune. Everyone is impacted, some much more than others.
As a leader in charge of security, digital security, disaster recovery, information systems, teams of people, and a host of processes all supporting the productive capacity of the organization, how do you know the individuals in your organization are ready to do what they need to do now for the organization and for what’s next? In short, put them to the test.
Tests and reality don’t determine leadership capacity and character. Rather, tests and reality spotlight your leadership capacity and character. No plan will prepare you 100 percent for what’s next; it is simply not possible to know unknowns or everything the future will bring. However, the knowledge, professional voice, and personal character to drive your organization toward a plan of readiness as a place to start when whatever is next emerges—that is leadership applied by the best in the cyber world. Understanding there are known unknowns and creating your framework or checklist to mitigate for what is most probable and for what is most catastrophic with varying degrees of risk, funding, training, and practice—that is leading your organization to take the first steps before whatever is next emerges so that when it arrives the people in your organization are ready and great leadership can be tested and revealed.
What was unknown a few months ago and can now be understood as whatever was to be next is the current COVID-19 pandemic and is introducing organizational continuity factors that modern leaders have rarely had to address, including food scarcity, first responder’s triage and fatigue, daily governmental policy and law changes, failed supply chains, mass layoffs in the era of WFA with assets left in former employees’ homes, and so on. The short- and long-term implications to organizations will not be known for years to come. However, the need for cyber leaders to engage in the organization at the highest level in planned and consistent ways will be one of the lessons learned from the current risk event being realized. Yes, this will be an event. Yes, it will impact the way organizations view the world and alter the definition of security. After all, having a secure cloud infrastructure will not be important if the organization cannot acquire the raw materials and people it needs to stay in business. This is potentially the next big influence for cyber leader roles. As the global supply chain for materials, talent, and market boundaries shift to become more diverse and more independent at the same time, cyber leaders will be asked to evaluate risks that simply do not exist right now.
Preparing for and being comfortable with the emerging post–COVID-19 organizational needs is the embodiment of a great cyber leader. Cyber leaders have been living in a changing, unknown, global, “what’s next” world for years. This is a place they recognize. This suggests that cyber leaders are uniquely prepared for the post–COVID-19 world. As such, organization leaders at every level would be wise to elevate their cyber leaders to the executive table if they have not already done so. The skills and experiences that wise CEOs have funded for years are ready to provide significant business value as the new world unfolds.
To support their organizations, cyber leaders will need to be more flexible, become more comfortable with new levels of risk, improve and increase training at every level of the organization as a way to expand frontline defenses, and get comfortable with a phrase they may not like: “I don’t know.” Leaders with character admit when they do not have the information needed to make decisions, then they act to acquire that information. As the changing world relies on cyber leaders more and more, living in and managing through the known unknowns, “I don’t know but I will find out” will be a cornerstone for the next generation of cyber leaders—business leaders.
DR. MIKE LEWIS is the executive vice president of informatics and technology and chief information officer of Trillium Health Resources, a local management entity/managed care organization (LME/MCO). He is also the author of Responsibility Art, The Why and You in Leading and Managing.
DR. TIM RAHSCHULTE is the CEO of the Professional Development Academy and chief architect of the ICMA Cybersecurity Leadership Academy program. He also serves as advisor to the ICMA Cybersecurity Collaborative and is the co-author of My Best Advice: Proven Rules for Effective Leadership.
1. Kotter, J. P. (1999). John P. Kotter on what leaders really do. Boston: Harvard Business School Press.