It’s not that the company wants to leave the cybersecurity manager in the lurch. Quite often, when a cybersecurity manager is hired, it’s the first time the company has ever hired a dedicated cybersecurity manager. The company has no experience with having a cybersecurity manager on staff. They have no history or established protocol for how to manage a cybersecurity manager. They have no idea how to best utilise this new asset. The company isn’t thinking about what additional resources or support the cybersecurity manager may require; they are primarily focused on budget.
When a cybersecurity manager is hired, they’re usually expected to function independently of any one department or team. Within any company, there are internal teams, or tribes, such as operations, finance, sales, marketing, legal, IT, brand management, and so on. Since the cybersecurity role lies outside those power teams, the cybersecurity manager has limited influence within the company. The way forward for the cybersecurity manager is to work within the internal corporate structure to get on the agendas of those teams and personally influence the key stakeholders and decision makers.
In many ways, the cybersecurity manager’s effectiveness is limited by how well they can navigate the internal power structure of the company. cybersecurity managers have to work hard to gain acceptance into these tribes. This part of the job is something that is never mentioned in working contracts, it’s seldom taught in universities, and it can come as a surprise for cybersecurity managers without significant experience.
For example, we know of a company that hired a very proficient-looking cybersecurity manager with an impressive CV. While the cybersecurity manager had deep technical experience, he lacked the people skills to work effectively within the company’s corporate culture. Instead of taking the initiative and proactively forging relationships, he waited around for department heads to invite him to a meeting. He ended up sitting in his office all day on the computer instead of communicating with company leaders and managers. In the end, he achieved little to improve the company’s cybersecurity, all because there was a mismatch between the company’s expectations and the cybersecurity manager’s expectations. Each was waiting for the other to take action.
Sometimes companies don’t even know what kinds of skills the cybersecurity manager should have, so they end up hiring the wrong kind of talent with the wrong expertise. Hiring a cybersecurity manager with the wrong skill set is going to end in failure because the person hired doesn’t match up with the actual needs of the company. But it’s not the cybersecurity manager’s fault because the company didn’t know what they needed to begin with and didn’t make it clear during the hiring process.
If the company misunderstands the role and hires the wrong person, then little will be accomplished.
Problems Lie Ahead
Most companies hesitate to commit sufficient resources and budget for a robust cybersecurity programme. They often believe that the cost of hiring a cybersecurity manager is the only investment they will have to make, though that is rarely the case. (The truth is that a viable defence against cyberattacks can cost hundreds of thousands of dollars.) Effective cybersecurity requires a significant investment beyond hiring someone to manage it.
That’s because cyberattacks affect a company on all levels—they require an immediate response, a careful consideration of the effect on corporate reputation, and an adjustment of future growth predictions. When an acute crisis hits, the company first has to focus on the immediate practical problems, like endless helpdesk calls, a backlog of customer requests, and the possibility of being sued. Crisis management is the order of the day. At the same time, investors and owners are wondering how this hit to the company’s reputation will hinder the growth of the company. Inside the company, managers and employees worry about their own jobs and liability; outside the company, regulators and society are probably already reacting. The dollar cost of the attack itself is probably one of the last things on people’s minds.
Hiring a manager is only the first step. The manager may need to call on existing staff to take on new tasks; for instance, a network engineer might need to develop skills in network monitoring. Internal staff will be needed to build and execute solutions, and it may be necessary to hire external companies as consultants and to test the systems. If additional hardware and software are required, internal IT resources may have to be reallocated. These represent significant costs.