Cybersecurity teams need more business acumen

While the divide between cybersecurity professionals and the organizations they serve has narrowed in recent years, there is clearly still plenty of room for improvement. Too many cybersecurity professionals are still struggling with conveying the level of risk to the business that any given specific threat represents. Much of that lack of communication is still attributable to the simple fact that cybersecurity professionals still don’t alway communicate in a way that business leaders can easily comprehend. There is a clear need for additional training that specifically addresses that shortcoming.

Unfortunately, a survey of 259 cybersecurity professionals conducted by ISC2 makes it clear that there is still a lack of appreciation for the type of training that is required. A full 81% of respondents said they learn leadership skills primarily through observation, with 86% noting that experiences with previous supervisors, managers and executives shaped their view of what makes a good leader.

While that may be a good thing in some respects, it’s already been established that many existing cybersecurity leaders are not able to effectively communicate with business leaders. Observing the previous generation of leaders may only be perpetuating an existing dichotomy.

For example, possessing good communications skills is not surprisingly ranked as the most important attribute a cybersecurity leader can have (85%), followed by an understanding of strategy (41%), open-mindedness (37%), technically skilled (33%), decisiveness (21%) and then finally business acumen (21%).

However, therein lies the paradox. The very thing that cybersecurity leaders are most often faulted for is their inability to communicate with business management and yet only about one of five survey respondents identified that skill as being a crucial leadership skill. Now the chances that business leaders are going to ever be able to communicate using the nomenclature that cybersecurity teams use every day is very small. The only way this situation is ever going to materially improve is if cybersecurity leaders better understand how the business actually operates.

In an ideal world, of course, organizations would provide that type of training to their cybersecurity teams, but either simply because of either budget constraints or a simple lack of appreciation for the need there really much of that type of training made available. It will, like it or not, fall to individual cybersecurity professionals to use their own initiative to acquire that type of expertise either on the job or via some external educational curriculum.

The one thing that few cybersecurity professionals always appreciate is the appetite of risk that many business leaders have. Most of them are products of business schools that teach them to continuously weigh risk versus reward. The only thing they really want from cybersecurity teams is an accrue assessment of the level of risk faced. That may not require a Master of Business Administration (MBA), but it does at the very least require an understanding of what the organization is trying to achieve in an era where every business process can now be adversely impacted by multiple cybersecurity threats.