Know the Expectations (or Lack Thereof)
The ideal situation: a newly hired cybersecurity manager reports for duty and, on his or her first day, is presented with a set of specific expectations and detailed objectives for cybersecurity set forth in a clearly written cybersecurity plan. The plan provides the cybersecurity manager with concrete goals to work toward. It allows the cybersecurity manager to hit the ground running and achieve maximum results in the shortest time possible. The cybersecurity manager will be extremely effective because the company has a detailed cybersecurity plan in place.
Sound good? When it happens, it is. But how often does it happen? Almost never.
Cybersecurity manager Candidates: What to Ask in an Interview
- How do I get the management support I need for this job?
- Who is my sponsor in the company?
- Are you ready to invest in security?
Most of the time, the company has no plan, no set goals, no idea of scope, and no clear expectations for the cybersecurity manager they just hired. Typically, the company is only able to express to the cybersecurity manager a vague desire like, “We want our data to be safe,” or, “We don’t want to get hacked again.” That’s not a plan.
In fact, most of the time, the company expects the cybersecurity manager to come up with the plan. They also expect the cybersecurity manager to resource, scope, and execute the plan. The cybersecurity manager, meanwhile, depends on the company to define parameters and provide a budget. With each party operating under the impression that the other should be providing the basic necessities, the cybersecurity manager’s role often stalls out within the first week or two on the job.
Hiring a cybersecurity manager: What to Ask in an Interview
- How did you build and manage security management systems in previous jobs?
- How would you set one up here?
- What do you think are the most relevant cyber risks for businesses like ours?
By listening to the candidates’ answers, you’ll find out if they are up to date on current risks and if they did their homework about your company. Their answers will also reveal the mental boundaries that limit their work.
It’s not that the company wants to leave the cybersecurity manager in the lurch. Quite often, when a cybersecurity manager is hired, it’s the first time the company has ever hired a dedicated cybersecurity manager. The company has no experience with having a cybersecurity manager on staff. They have no history or established protocol for how to manage a cybersecurity manager. They have no idea how to best utilise this new asset. The company isn’t thinking about what additional resources or support the cybersecurity manager may require; they are primarily focused on budget.
When a cybersecurity manager is hired, they’re usually expected to function independently of any one department or team. Within any company, there are internal teams, or tribes, such as operations, finance, sales, marketing, legal, IT, brand management, and so on. Since the cybersecurity role lies outside those power teams, the cybersecurity manager has limited influence within the company. The way forward for the cybersecurity manager is to work within the internal corporate structure to get on the agendas of those teams and personally influence the key stakeholders and decision makers.
In many ways, the cybersecurity manager’s effectiveness is limited by how well they can navigate the internal power structure of the company. cybersecurity managers have to work hard to gain acceptance into these tribes. This part of the job is something that is never mentioned in working contracts, it’s seldom taught in universities, and it can come as a surprise for cybersecurity managers without significant experience.
For example, we know of a company that hired a very proficient-looking cybersecurity manager with an impressive CV. While the cybersecurity manager had deep technical experience, he lacked the people skills to work effectively within the company’s corporate culture. Instead of taking the initiative and proactively forging relationships, he waited around for department heads to invite him to a meeting. He ended up sitting in his office all day on the computer instead of communicating with company leaders and managers. In the end, he achieved little to improve the company’s cybersecurity, all because there was a mismatch between the company’s expectations and the cybersecurity manager’s expectations. Each was waiting for the other to take action.
Sometimes companies don’t even know what kinds of skills the cybersecurity manager should have, so they end up hiring the wrong kind of talent with the wrong expertise. Hiring a cybersecurity manager with the wrong skill set is going to end in failure because the person hired doesn’t match up with the actual needs of the company. But it’s not the cybersecurity manager’s fault because the company didn’t know what they needed to begin with and didn’t make it clear during the hiring process.
If the company misunderstands the role and hires the wrong person, then little will be accomplished.
Problems Lie Ahead
Most companies hesitate to commit sufficient resources and budget for a robust cybersecurity programme. They often believe that the cost of hiring a cybersecurity manager is the only investment they will have to make, though that is rarely the case. (The truth is that a viable defence against cyberattacks can cost hundreds of thousands of dollars.) Effective cybersecurity requires a significant investment beyond hiring someone to manage it.
That’s because cyberattacks affect a company on all levels—they require an immediate response, a careful consideration of the effect on corporate reputation, and an adjustment of future growth predictions. When an acute crisis hits, the company first has to focus on the immediate practical problems, like endless helpdesk calls, a backlog of customer requests, and the possibility of being sued. Crisis management is the order of the day. At the same time, investors and owners are wondering how this hit to the company’s reputation will hinder the growth of the company. Inside the company, managers and employees worry about their own jobs and liability; outside the company, regulators and society are probably already reacting. The dollar cost of the attack itself is probably one of the last things on people’s minds.
Hiring a manager is only the first step. The manager may need to call on existing staff to take on new tasks; for instance, a network engineer might need to develop skills in network monitoring. Internal staff will be needed to build and execute solutions, and it may be necessary to hire external companies as consultants and to test the systems. If additional hardware and software are required, internal IT resources may have to be reallocated. These represent significant costs.
Organisational Structure: Putting It on Paper
When considering a cybersecurity manager applicant, try this:
Hand the applicant some paper and a pen and ask him or her to draw a rough diagram of the company’s current organisation. Invite the candidate to explain how they would manage the structure. There’s no right or wrong answer, but you will learn a lot about the candidate’s organisational skills by listening to his or her response. If your request is met by silence, that is not a good sign—you may have a pure techie on your hands. The best candidates will have something to say about every piece of the chart.
Nevertheless, many companies refuse to allocate sufficient budget funds to cybersecurity—either to fix problems caused by a known cyberattack or to prevent an attack in the first place. So cybersecurity managers often find themselves in the difficult position of doing what they can with limited resources, even if it won’t be enough. If cybersecurity managers don’t have the interpersonal skills and initiative to gain access to key decision makers in the company to lobby for more internal and external resources, they simply won’t be successful.
What does a lack of success in this role look like? If the cybersecurity manager is ineffective, the company’s cybersecurity won’t improve, and may even be diminished. That exposes the company’s employees, customers, and shareholders to serious risks of breach, theft, blackmail, ransom payments, legal action, and more. What’s worse, hiring a cybersecurity manager without allocating sufficient budget funds can lead the company to have a false sense of security.
The consequences of failure are also considerable for the cybersecurity manager. Most cybersecurity managers don’t feel accepted, or even respected, by the companies they work for. If a cyberattack happens, the cybersecurity manager is the one who gets blamed. If the cybersecurity manager is terminated, she finds herself out of a job, and the company must spend time and resources to recruit and hire a new cybersecurity manager to come in and fix the existing problems.
What Can a cybersecurity manager Do to Succeed?
Cybersecurity managers first need to understand what they will be up against. They need to go into a new job fully understanding the challenges we’ve talked about in this article, including lack of access to decision makers, limited or no budget, unclear expectations, a non-existent cybersecurity plan, and a general lack of respect for their role within the company.
Contact the Key Players
As a cybersecurity manager, you need to contact key players in the company and familiarise yourself with their units and what they do. For instance, you could go to customer service and ask to go through their induction training. A couple of hours spent immersed in the customer service world will reveal an incredible amount about the people, processes, and tools involved. You’ll get firsthand experience, and the customer service manager will appreciate your interest.
Next, smart cybersecurity managers will study the organisation to learn who operates the levers of power within the company. Who has the authority to draft a budget, and who can sign off on it? If budget decisions are made by committee, who is on that committee? The cybersecurity manager can map it out on a whiteboard using an organisational chart or the company’s website, including the different teams, leaders, and stakeholders both inside and outside the company. The cybersecurity manager should find ways to meet and interact with these key people, such as volunteering to participate on management committees and advisory teams where they can meet decision makers. If security is even remotely relevant to the committee or team, management will invite the cybersecurity manager to participate; directors and managers are becoming more aware that they need to involve the cybersecurity manager. If the cybersecurity manager finds they’re not welcome in some groups, it’s a problem; the cybersecurity manager must have their support. They may need to work on the groups’ attitude to open that door.
After this, the cybersecurity manager should schedule meetings with key stakeholders to talk about the cyber risks involved in different areas of the company. The cybersecurity manager’s goal should be to help the managers and department heads understand the cybersecurity risks to their department and then convince those leaders to request the budget funds required to address the risks. Turning key decision makers into champions for cybersecurity is one of the most effective strategies for acquiring the resources needed.
Subscribe To Our Newsletter
Get the latest intelligence and trends in the cyber security industry.
What Not to Do
We worked with a chief information security officer who had been working for a large government agency in security for years. She was finally getting ready to retire, so they were looking for her replacement. We asked her how the organisation made decisions and allocated budget funds. She had no idea. This is an example of what not to do. There is no way to be effective if the cybersecurity manager doesn’t understand the company’s leadership structure.
The Cybersecurity Plan
After meeting with each department head, the cybersecurity manager should follow up with a memo to that person summarising what was discussed, the current risks, and a prescription for fixing the problems. After meeting with all department heads and stakeholders, the cybersecurity manager should create a full cybersecurity plan. In that document, the cybersecurity manager can summarise his recommendations for each department in the company, assess the broader risks for the company as a whole, and include recommendations and a budget request. This will become a working document for the cybersecurity manager. It should incorporate feedback and input from the stakeholders.
If the company denies the cybersecurity manager’s request for budget funds and later suffers a cyberattack, the cybersecurity manager can point to the document in which he identified the weakness and proposed a solution. If the cybersecurity manager wrote a memo requesting budget funds for system improvements and security testing but the request was denied, the attack can’t be blamed on him. He didn’t design the system.
However, the cybersecurity manager can be blamed for not notifying the company of the risks he knows about. If he doesn’t warn the company, if he doesn’t communicate the risk, then any breach could be seen as his fault. The cybersecurity manager can determine the best way to present the memo, either one-on-one, in a staff meeting, by email, or in whatever way is appropriate.
The cybersecurity plan should be aligned with the company’s overall strategy and goals. The language in the plan should start with those corporate business goals and then go into detail about how cybersecurity supports the organisational objectives. Do not include personal opinions in the document. This plan is a big-picture document that will resonate with the senior-most leaders of the organisation, including the CEO.
Identify the Influencers
When mapping out the key stakeholders in a company, the cybersecurity manager should not only pay attention to the people with senior titles, like CTO, CEO, and VP. Sometimes people in other positions can wield enormous power. These people are influencers. For example, there might be someone in human resources who has been with the company for twenty years and has the ear of the CEO. For some reason, she has a lot of power. The cybersecurity manager should be sure to identify and add influencers to the list of stakeholders. They will play a role in getting the cybersecurity manager’s cybersecurity plan approved.
Selling the Cybersecurity Plan
Part of being a cybersecurity manager means using internal sales skills. First, the cybersecurity manager must sell the decision makers on the idea of cybersecurity. This involves communicating the risks and the potential repercussions of not acting on those risks. What is the risk? How big is it? How can it be fixed? How much will it cost? With a detailed assessment, it’s usually pretty easy for the company to make a decision.
The reaction to a cybersecurity plan and request for budget funds could be a resounding yes, a flat no, or anything in between. This is because different executives have widely differing risk tolerances. What seems like too much risk for one person is just another day at the office for someone else. Entrepreneurs tend to have a high risk tolerance, while bankers tend to want a very low level of risk.
cybersecurity managers should beware that some people will view them as a threat and may resist them at every turn. They may have a known cyber weakness in their department that they’ve tried to fix on their own. Or perhaps they don’t think cybersecurity impacts their department at all, so they consider the whole thing as a nuisance and a waste of time. Whatever the reason, not everyone in the company will support the cybersecurity manager or even welcome him or her. Tread carefully.
Regardless of the different reactions from stakeholders, it is the cybersecurity manager’s responsibility to own the cybersecurity plan and drive its internal adoption. If the cybersecurity manager sits quietly in her office working on the computer, she’ll make little progress. Instead, the cybersecurity manager must proactively advocate for cybersecurity, even in the face of rejection.
The cybersecurity manager must proactively advocate for cybersecurity, even in the face of rejection.
Ultimately the cybersecurity manager will need to get the plan accepted and implemented by the company. This decision may be made by the CEO, the board, or a lower-level committee. The head of each department that will be directly impacted will also need to accept the plan and get on board.
Gaining acceptance for the cybersecurity plan often requires negotiation. There will be some give and take, and the cybersecurity manager will have to revise and rewrite some or all of the document to please all stakeholders. Some stakeholders have more influence than others. The cybersecurity manager should always listen to feedback from the CEO, for example, as their suggestions are usually insightful. CEOs know exactly where the company is going financially and strategically, and they understand the highest level of risks, such as strategic business risks. The cybersecurity manager should incorporate the CEO’s suggestions into the plan. Eventually, by being persistent and reasonable, the cybersecurity manager will develop a plan that will be widely accepted.
High-Level vs. Low-Level Cyber Risks
Cybersecurity exists to protect and advance the goals of the business; that mission cannot be lost in the details. Unfortunately, it often is.
The quickest way for a cybersecurity manager to fall from grace within a company is to focus on smaller operational risks and low-level problems. Too much of that and leaders (including CEOs, VPs, and other stakeholders) will naturally start to ignore the cybersecurity manager because low-level problems aren’t what’s on their minds. They care about high-level risks that affect the overall business strategy.
Many cybersecurity managers have been relegated to the realm of “IT geek” because they didn’t focus on high-level problems. Once there, they tend to tackle every problem as an IT problem and neglect the people side.
Expectations and Needs Vary Company to Company
The cybersecurity manager needs to understand that organisations vary widely in their expectations and needs when it comes to cybersecurity. In general, bigger companies won’t accept as much risk as smaller companies because they have more to lose. If a company with billions of dollars in revenue gets hacked, the loss could be far greater than it would be for a smaller company. Smaller companies are more nimble and can change faster, so they can react to cyber risks more quickly and effectively. This is why many startups hesitate to spend a lot of money on cybersecurity.
The exception to this is a high-tech startup or growth company where the entire business is based on trade secrets that could be stolen, such as a startup built around a biotech process or medical technology, or a computer company with a proprietary algorithm that could be hacked. If those types of trade secrets are stolen, it could literally destroy the company. In those cases, even startups will take cybersecurity very seriously and spend money on it accordingly. If they can’t afford it, they will get more money from their investors. Investors want to protect their investment in the company, so it’s an easy sell.
Banks and financial institutions, on the other hand, always make security a top priority because they’re holding clients’ money. The challenge with these companies is that many of them are using old mainframe computers from twenty-five years ago. Legacy systems like that are extremely difficult and complex to upgrade to modern cybersecurity practices, and complexity is the enemy of security. In contrast, newer companies will operate on modern cloud computing systems, so updating their cybersecurity is much easier.
Complexity Is the Enemy of Security
Most companies, as they grow, build unwieldy IT systems that make security extremely difficult. The cybersecurity manager can have an impact simply by reducing that complexity. It’s often a good idea to look for standardised solutions others are using and apply those to your company’s problems.
Say your company has 200 servers, each with its own protocols. The system is a nightmare to maintain. If you can show management how other companies have reduced similar systems to just two types of servers, your life will get much, much easier.
The company will be happy, too, because the existing complexity is probably a performance issue for them. Standardisation saves money.
While we can identify general characteristics of some companies, like startups and banks, the truth is no two companies are exactly alike. Even an experienced cybersecurity manager who moves from one company to the next will have to start over and learn about the new company. The same tactics they used at their last company may not work in the new environment. The decision-making processes in each company are always different. The stakeholders are different. The corporate cultures are different. The tolerance for cyber risk will vary by the size and age of the company, their current technology, their history of cyberattacks, the industry they’re in, and what part of the world they’re located in geographically.
Even different departments within the same company have differing needs and expectations. Separate departments often run completely independent computer systems. Some departments may have been hacked, while others never have, so they have unique expectations, needs, and perspectives.
Identify the Biggest Risk First
The best way for a cybersecurity manager to understand and approach an organisation is first to identify the biggest cybersecurity risk. What are the company’s leaders most scared of? What are they trying to prevent? Where is the company most vulnerable?
As the cybersecurity manager investigates the various security risks in an organisation, they should keep a running list of the security problems they would ideally like to solve. If there are 20 items on the list, that’s too many. With the list in hand, the cybersecurity manager should rank items in order of urgency and importance, then begin eliminating the problems at the top of the list, moving on to lower-ranking items over time. That way, they can solve the company’s most pressing security issues while making sure they don’t spend too much time and too many resources on things that are irrelevant or insignificant.
Perceived Risks Vary
To prioritise risk, cybersecurity managers need to be aware of how the people in their company perceive risk and understand that the perception may not be driven solely by logic.
The biggest perceived risks may vary widely between two companies in the exact same industry. Some of the variance comes from leadership style—one company may be led by a risk-taker and another by someone less bold. Some variation arises from corporate culture. Two airlines with vastly different corporate cultures, for instance, may identify completely different needs and risks in cybersecurity.
The effective cybersecurity manager must recognise a natural human foible, as well: people are notoriously bad at assessing risks accurately. For example, people worry more about living near a nuclear power plant than about crossing the street, even though they’re much more likely to get hurt walking through town. A CEO might read articles every day about companies hit by data breaches, but if it hasn’t happened to him in twenty years, he may think his company is immune, though it’s not.
When preparing the cybersecurity plan, the cybersecurity manager should focus recommendations on the highest-level, strategic risks—the ones that will get the attention of top management. The cybersecurity manager’s goal is to be taken seriously, to have the budget approved, and to get the cybersecurity plan implemented across the company.