Norman Lonergan, EY’s Global Advisory Leader and formerly a CIO, talks about how a CIO’s leadership and communication style can influence their cybersecurity strategy.
I remember my first encounter, many years ago, with the Belbin test – an assessment that looks at how individuals behave in a team environment.
What I found most fascinating was that individuals with very different communication and leadership styles could be good leaders for quite different reasons. Having been a CIO, and having worked alongside many CIOs over the years, I have certainly seen this in practice.
This point is especially true in relation to cybersecurity. And this got me thinking about the potential effect that CIOs’ different styles could have on how they tackle cyber attacks and cyber crime.
By now, we are all aware that cybersecurity is an important and complex issue for organizations to manage. And it isn’t just about applying effective security measures to IT systems.
Cybersecurity is an enterprise-wide business issue that calls for a number of critical steps, such as:
- Educating people
- Reaching out across the business
- Establishing response protocols
- Applying sophisticated data analytics tools and techniques
And as we found in EY’s latest information security survey, there remains a strong need for organizations to shift from a largely reactive approach to threats, toward a more proactive one.
This is why the communication and leadership style can prove so important: they can have a significant bearing on how cyber risks are handled at any organization. Here are three common issues that I’ve seen:
The overconfidence trap
We’ve all come across leaders who are so focused on the end goal, and so convinced of their abilities, that they lose track of the small details. They might rightly assume that others need to take care of particular tasks. But they don’t always ensure that these tasks are getting done. And they don’t make sure that everyone is prepared for the unexpected.
A successful defense against cybercrime will be as much about managing the little details (e.g., how employees should handle personal devices in the workplace), as it is about the bigger tasks (e.g., choosing your cloud providers).
The risk-aversion snare
Conversely, if a CIO is too cautious, there is the danger that they may end up overspending on security systems with the wrong focus. Risk-averse CIOs may try to put up barriers to protect every last system against attack, including those that have little intrinsic value. They often end up overengineering the company’s IT architecture in an attempt to counter every conceivable threat. This comes at the expense of usability, preventing trusted external partners, or even customers, from accessing important information. In this situation, employees tend to engineer their own work-arounds just to get things done. And customers tend to walk away.
The IT-is-everything blinkers
CIOs who are too IT-centric often don’t fully appreciate the priorities of the wider business. This means that critical areas can be left exposed to risks. It can be all too easy for these CIOs to devote all their energies to securing servers, updating software and installing malware protection, while critical business information is exposed elsewhere.
For example, the R&D function may be holding commercially sensitive information for a new product or service in a lab in a new market. But if the CIO is too focused on the nuts and bolts of IT to be aware of this new location, that information is likely to remain unprotected.
As Meredith Belbin discovered through his research, the key to successful performance is getting the balance right. If they are to get ahead of cybercrime, CIOs need to take a balanced approach to tackling cybersecurity.
This year’s EY Global Information Security Survey report outlines three stages of cybersecurity: Activate, Adapt and Anticipate. I feel confident that if CIOs implement these, they won’t go far wrong. The three stages provide the guiding principles that will enable CIOs to establish a solid foundation, to adapt to changes in the business and to take a more proactive approach to cybersecurity.