We’ve recently seen turnover in the government with a void in the Cybersecurity leadership and it led me to think about how this is being handled in enterprises nationwide. Cybersecurity is more than just technology, hackers, and fancy toys. It’s also about strategy, leadership, and team building, which needs to come first before the implementation of any process or technology. We have to actively defend our environments from threats and without the proper leadership in place all the budget in the world, tools and analysts are a waste of time and resources.
No Bad Teams, Just Bad Leaders
It’s been said before: there are no bad teams, just bad leaders. This goes not only for military, large businesses, or organizations with ample budgets. This goes for every aspect of security and there needs to be a top down approach of leadership within each group to fully run a group at its full potential. Unfortunately, this isn’t always the case and leaders below management need to be able to “manage up” to get their mission and objectives accomplished. Everyone in the security groups needs to take responsibility and own it. Finger pointing needs to stop. Now.
A breach occurred because of a missing patch or vulnerable system that was exploited? If we’re all owning our areas of expertise within these disciplines there’s accountability between each other, not a blame game. The relationships need to be built between engineering, operations, system admins and operators. Will you still get breached? Maybe, nothings completely secure and attackers are persistent. The better question to ask is will your team collapse into a finger-pointing, blame shifting witch hunt if you are breached? I hope not. That’s where proper leadership stops these rabbit holes of blame.
We All Want to Win
We’re trying to stop adversaries from compromising or bringing our systems down on a daily basis. It’s hard fighting those who want to do you harm, it’s even worse if those people are on your team. Leaders can be anyone: analysts, engineers, architects, managers and CISOs. Just because your role doesn’t have subordinates doesn’t mean you’re not a leader. Understand your role and how it effects the entire organization and what you’re responsible for within the team. Determine how you’re directly able to make a difference by taking the onus of what’s yours and how you can assist those on your team to succeed.
We all want to win. I don’t think anyone wakes up in the morning hoping their organization gets breached. If one area of the team is lacking we need to work together to bring it up to par. This might mean saying and recommending things that are hard, but in the end we need to fire on all cylinders. We’re all on the same team and if we’re selfless, transparent, and all working towards achieving the same goal we can move the rudder in the right direction. If leaders let their ego get in the way, or put a blind eye towards another issue in a different department, you’ll be rudderless and vulnerable.
More to come on this topic in the future, but in short: There are no excuses, sacrifice for your team and own it.
Author Bio: Matthew Pascucci is a Security Architect, Privacy Advocate, Security Blogger, and is the Cybersecurity Practice Manager at CCSI. He holds multiple information security certificates and has had the opportunity to write and speak about cybersecurity for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email firstname.lastname@example.org.