How a CIO’s leadership and communication style can influence their cybersecurity strategy

Normal LonerganNorman Lonergan, EY’s Global Advisory Leader and formerly a CIO, talks about how a CIO’s leadership and communication style can influence their cybersecurity strategy.

I remember my first encounter, many years ago, with the Belbin test – an assessment that looks at how individuals behave in a team environment.

What I found most fascinating was that individuals with very different communication and leadership styles could be good leaders for quite different reasons. Having been a CIO, and having worked alongside many CIOs over the years, I have certainly seen this in practice.

This point is especially true in relation to cybersecurity. And this got me thinking about the potential effect that CIOs’ different styles could have on how they tackle cyber attacks and cyber crime.

By now, we are all aware that cybersecurity is an important and complex issue for organizations to manage. And it isn’t just about applying effective security measures to IT systems.

Cybersecurity is an enterprise-wide business issue that calls for a number of critical steps, such as:

  • Educating people
  • Reaching out across the business
  • Establishing response protocols
  • Applying sophisticated data analytics tools and techniques

And as we found in EY’s latest information security survey, there remains a strong need for organizations to shift from a largely reactive approach to threats, toward a more proactive one.

This is why the communication and leadership style can prove so important: they can have a significant bearing on how cyber risks are handled at any organization. Here are three common issues that I’ve seen:

The overconfidence trap
We’ve all come across leaders who are so focused on the end goal, and so convinced of their abilities, that they lose track of the small details. They might rightly assume that others need to take care of particular tasks. But they don’t always ensure that these tasks are getting done. And they don’t make sure that everyone is prepared for the unexpected.

A successful defense against cybercrime will be as much about managing the little details (e.g., how employees should handle personal devices in the workplace), as it is about the bigger tasks (e.g., choosing your cloud providers).

The risk-aversion snare
Conversely, if a CIO is too cautious, there is the danger that they may end up overspending on security systems with the wrong focus. Risk-averse CIOs may try to put up barriers to protect every last system against attack, including those that have little intrinsic value. They often end up overengineering the company’s IT architecture in an attempt to counter every conceivable threat. This comes at the expense of usability, preventing trusted external partners, or even customers, from accessing important information. In this situation, employees tend to engineer their own work-arounds just to get things done. And customers tend to walk away.

The IT-is-everything blinkers
CIOs who are too IT-centric often don’t fully appreciate the priorities of the wider business. This means that critical areas can be left exposed to risks. It can be all too easy for these CIOs to devote all their energies to securing servers, updating software and installing malware protection, while critical business information is exposed elsewhere.

For example, the R&D function may be holding commercially sensitive information for a new product or service in a lab in a new market. But if the CIO is too focused on the nuts and bolts of IT to be aware of this new location, that information is likely to remain unprotected.

As Meredith Belbin discovered through his research, the key to successful performance is getting the balance right. If they are to get ahead of cybercrime, CIOs need to take a balanced approach to tackling cybersecurity.

This year’s EY Global Information Security Survey report outlines three stages of cybersecurity: Activate, Adapt and Anticipate. I feel confident that if CIOs implement these, they won’t go far wrong. The three stages provide the guiding principles that will enable CIOs to establish a solid foundation, to adapt to changes in the business and to take a more proactive approach to cybersecurity.

2 thoughts on “How a CIO’s leadership and communication style can influence their cybersecurity strategy

  1. I agree on most of it, just it needs to be called in the Risk Management function: Information Security is a mindset and a ‘tool’ to (possibly) save money. How much Company are going to succeed at it, really depends on how the money are spent to secure (or not) things around. Only a well run Risk Management (both on business and IT side) will show the way to executives on what needs to be addressed first (where and if to spent the money). In this view, Risk Management will bring together InfoSec findings and reccommendations together with the Business view and priorities. Oversimplifying it : InfoSec brings ‘concerns’, Risk should evaluate them (using analytical skills) and then give a desk of options to the Board for an informed decision. For this simple reason you should not have Risk, IT Services and InfoSec in the same structure, piled one on the top of another. They are all to be kept separate from a Governance point of view, and the Business is where they should come together. On Page 9 on this Harvard Business Review, I can see a supporting table on what just stated:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s