One thing that has surprised me since I left active duty as an Air Force Major General a little over two years ago, is the inconsistencies I see from company to company regarding the importance of leadership and organizational culture. I recently have talked with a number of senior leaders who say they are engaging consultants to help develop leadership programs and to understand and, if necessary, modify their organizational culture. Certainly a step in the right direction, but these are mature companies. It is interesting to me that leadership and culture are just now becoming important at the most senior levels.
My experience leading a number of large, complex organizations suggests that nothing is more important than having good leaders at all levels of the company and making sure they are aligned on creating and sustaining a company culture that sets the stage for success. Good leaders attract and retain good people and a clear set of values, a meaningful vision and mission statement linked to relevant, measurable goals all help define a culture that ensures employees can connect the dots from what they do to the ultimate success of the company. In the age of cyberspace, nowhere is this more important than in those aspects of leadership and culture that touch cybersecurity.
Leaders exhibit behaviors that in turn establish organizational culture. If the culture needs to change, as it does in most companies when it comes to cybersecurity, the CEO has to personally take it on. Culture change cannot be delegated. Here are four things cyber savvy CEOs do to inculcate an effective cybersecurity culture in their companies:
1. The CEO is the model user. She adheres to all of the company policies regarding password rules and acceptable internet use. She does not ask for personal exceptions to company policies and neither does her staff. The CEO routinely talks about the importance of user behavior in defending the company from hackers.
2. The CEO grasps key cybersecurity terms and concepts. This takes some work, but CEOs need a working knowledge of cybersecurity if they are going to provide the same level of management and oversight for cybersecurity that they exercise over operations, financial management, human relations and other critical functions that make the company successful. Plus, the CEO does not want to waste time in a critical meeting because senior leaders need a primer on cybersecurity basics before they can consider the business issue at hand.
3. The CEO holds people accountable for their actions in cyberspace. Employees are trained and certified to do their job and in the event they fail to execute their duties, there are consequences. People have to be held accountable at the same level for their behavior on the company network. Importantly, everyone must be held to the same standard whether they are an hourly employee or a senior executive.
4. The CEO insists on being prepared for a breach through a robust training and exercise program. Companies that take cyber-risk seriously conduct initial and recurring training that is relevant to the business. CEOs and other senior leaders sit side by side in training with other employees. Cyber aware CEOs, conduct tough, realistic exercises to validate that the training has been effective and that everyone knows their role in the event of a breach. This includes people like lawyers, auditors, human resource managers, public relations staff and the Board.
Technology is not the answer to every problem, even in our tech driven society. Competent people led by exceptional leaders is the key to success in business today, just as it was well before anyone heard of the internet. CEOs who correctly understand the nature of the cybersecurity problem realize that their personal leadership is critical to success. Adopting these four behaviors is an essential first step to becoming an effective leader in the age of cyberspace.