Executive Summary
Many companies are still struggling to make cybersecurity a vibrant, proactive part of strategy, operations, and culture. The root cause is twofold: (1) Cybersecurity is treated as a back-office job and (2) most cyber leaders are ill-equipped to exert strategic influence. Today’s cyber leaders must be able to embed security throughout the company’s operations, rapidly respond to threats, and influence fellow senior leaders. In short, they must be able to lead. And that means companies need to hire and develop security executives who have the skills to be true leaders. This article presents a framework for boards and C-suite executives to use when formulating a cybersecurity strategy and choosing someone to lead it.
Jorg Greuel/Getty Images
For businesses today, cyber risk is everywhere. Yet for all the investments they’ve made to secure their systems and protect customers, companies are still struggling to make cybersecurity a vibrant, proactive part of strategy, operations, and culture. The root cause is twofold: (1) Cybersecurity is treated as a back-office job and (2) most cyber leaders are ill-equipped to exert strategic influence. Given that a cyber leader’s average tenure is just 18 months, it’s clear that something needs to change.
Historically, companies have expected CISOs (Chief Information Security Officer) and security chiefs to focus on technical tasks — and haven’t expected more of them. Cyber leaders have the monstrous and all-important goal of securing a business, but when companies make big, strategic decisions — about business models, digital strategy, product mix, M&A — cybersecurity is an afterthought. That means companies are losing out on the value that the function can provide. (It’s not unlike companies rethink cybersecurity leadership
