Introduction

What does it take to be a cyber leader? How do we address a broad challenge we have in today’s business world?

There are a huge number of organisations whereby the leadership do not have domain expertise in cyber and related disciplines. There are decision makers who are having to best guess. On the other end of the spectrum, we have thousands and thousands of people trying to “break into cyber” yet they face largely insane entry requirements with the forementioned adding things to junior and entry level role which include:

• Must have a CISSP (CISSP requires 5 years’ experience and is an Information Security certificate that is very broad and not very deep, it also covers a range of areas that in my opinion aren’t even required for many cyber security capabilities inside organisations)
• Must have a Certified Ethical Hacker (this exam includes remember historic malware dates, is that really what we need from our leaders?)
• Must have a very large level of experience of be from an existing cyber role

All of this is creating confusion with hiring managers, with boards, with HR and the NET effect of this is that we are seeing that security postures are simply not appropriate or reasonable for a modern digital world. Think I’m exaggerating, please go and look at the news! Barely a day goes by without a major breach, let alone the hundreds of thousands of incidents that aren’t in the news. Cybercrime is rife! So let’s think about some of the things that might be useful if you are going to lead your organisations cyber strategy and it’s operational capability. Rememeber the world isn’t just one point of view, these are just some of my thoughts.

Cyber Security

Wait hang on maybe we missed a step, maybe we need to revisit what cyber security is first?

According to NCSC it is:

“Cyber security is how individuals and organisations reduce the risk of cyber attack. – Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage. It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.”

Drive

Cyber security is a complex and ever evolving field whereby it is primarily concerned with the protection of information in technology-based systems. Therefore, it’s not a bad idea to have a level of passion and enthusiasm for the subject, it doesn’t however mean you have to be obsessed. Too often I see people giving out crazy gate keeping positions on how much extra curricular activity that must occur. I’d suggest that being interested and being involved in community/industry is however a good idea, I learn so much from my friends and colleagues.

Experience

People often treat experience requirements as check box exercises, they don’t and shouldn’t need to be, they are examples. You will however want someone in a leadership position to be well versed and experienced in the domain they are leading.

• A background that includes direct cyber security experience from one or a range of perspectives:
  • Strategy and Architecture
  • Security Assurance
    • Security Testing
    • Adversary Simulation/Red Teaming/Purple Teaming
  • Security Operations
    • Security Monitoring
    • Incident Response
  • Technology Security Management
    • Vulnerability Management
    • Patch Management
    • Software Lifecycle Management/Secure Software Development Lifecycle (SDLC)
• Departmental or Team Leadership
• Departmental or Team Financial Management
• Personnel Management
• Board Level Communications
• Mentoring

Capabilities

• Good Communicator
• Able to take accountability for decision making
• Able to facilitate discussions
• Able to motivate and drive others

Understanding

• Broad view of the current cyber threat landscape
• Understanding of legal and regulatory requirements with relation to cyber security and the nature of business undertaken
• Risk Management
• Security Architecture
• Asset Management
• Information Architecture
• Technical Architecture
• Security Engineering
• Software Development
• Vulnerability Management
• Training and Awareness
• Incident Response
• Digital Forensics
• Offensive Security Practises
• Security Testing
• Backup and Recovery
• Business Continuity

Summary

This isn’t meant to be an exhaustive list, if you need an exhaustive list maybe think a bit more about what your organisations needs first. Yes, you can google but remember this is about protecting your people, your customers, your supply chain and your brand.

Cyber security and Information security aren’t identical to me, the cyber part really drives home the computer elements of this practise as opposed to say protecting physical documents. There is however not universal agreement on this, however again you need to think about the type of people, skills and experience your organisation needs from its leadership. The size, scale and nature of the business as well as its culture will mean there is not simply a one check box approach that fits all.

What I can say from my experience is that when it comes to Cyber Security and leadership challenges, whilst large areas of this are governance and managerial the devil is in the details. You will need to be able to converse with both business peers and with the teams at the coal face so if you don’t know what a PCAP is that’s ok, but I’d suggest that if you are leading a team, you probably want to ensure you invest both in the team and yourself.

Organisations get pwn3d commonly due to misconfigurations, when we look at why these exist it’s usually because of a next next finish approach is taken where stakeholders have not been well appraised of their risk position. Everything just works until it doesn’t and if you don’t know differently you aren’t going to realise the risks you may be introducing. Communication is key, but it helps to also know the subject (like it’s quite important).

Certificates might be an easy way out but for me the key is continual learning and improvement, if I’m going to help others, I need to be able to help myself first!