The Makings of a Cybersecurity Leader| ISACA

The Makings of a Cybersecurity Leader
Author: Phil Zongo, CEO of the Cyber Leadership Institute
Date Published: 27 April 2022

Editor’s note: Phil Zongo, CEO and Co-Founder of the Cyber Leadership Institute, is an experienced head of cybersecurity, strategic advisor, author and public speaker. He is the Amazon best-selling author of “The Five Anchors of Cyber Resilience,” a practical cyber strategy book for senior business leaders, and recently authored his memoir, “The Gift of Obstacles.” Zongo, a 2017 winner of ISACA’s Michael Cangemi Best Book/Article Award, recently visited with @ISACA to discuss cybersecurity leadership, cyber strategy and his new memoir. The following is a transcript of the interview:

What type of mindset makes for a great cybersecurity leader?
There are three that standout for me: courage, adaptability, and humility. Every leadership role requires extreme courage, and cybersecurity is no different. To succeed in this high-pressure role, cyber leaders must have the guts to terminate scared-cow projects, veto business decisions that undermine cyber resilience, and communicate bold aspirations. Equally important is the cyber leader’s ability to quickly adapt to the demands of the CISO role.

As many new CISOs can attest, the technical proficiency that made them superstars in a middle management role contribute very little to their success in the C-suite. This requires new leaders to quickly immerse themselves into the business value chain, and learn leadership, strategy design, persuasion and board communication skills.

Then there is humility, the most potent weapon for cyber leaders to navigate complex political systems and connect deeply with key decision-makers. When you approach key stakeholders with a blank piece of paper and an open mind, and build their perspectives into your transformation agenda, they are likely to throw their full weight behind it. Executives will do their best to support you if they know, trust, and like you.

What do you see as the biggest challenges today’s cyber leaders face?
There are two significant challenges: (1) Despite the rising appetite by senior stakeholders to actively participate in cyber transformation, cybersecurity language is still deeply rooted in tech. Cybersecurity reports are still heavy with jargon (zero-day, zero-trust, CVEs or APTs). Translating cyber reports into the language of the business (money, customer retention, business growth, etc.) is still difficult for many cyber leaders. (2) Second is the traditional reporting lines, with many CISOs still reporting to technology executives. This has merit; reporting to the CIO often guarantees fatter cybersecurity budgets, but it has serious drawbacks. I believe the CISO’s role should be elevated to the same rank as the CIO – only that way can CISOs effectively play their line-two responsibilities, challenging the adequacy of line-one controls like patching, secure-by-design and vulnerability remediation. When the CIO is the boss, impartially may be dented, bad news filtered on its way up, or security spending diverted toward flashy projects.

Study after study talks about the endemic technical skills shortage in cybersecurity, but the bigger challenge sits at the top. Without business-savvy CISOs, cyber resilience will remain a pipe dream for many enterprises. As John Maxwell famously said, “Everything rises and falls on leadership.”

What do you consider to be a missing key ingredient in many organizations’ cyber strategies?
They lack business context and are unsellable to business leaders. Most so-called cybersecurity strategies we see are nothing more than a list of ASD Top 8, CIS Top 20 or NIST controls. They do nothing to further business goals, accelerate digital transformation or mitigate areas of highest risk. Cybersecurity strategies are formulated within the confines of the IT function, with little input from business stakeholders. Failure to tie the cyber transformation agenda to the broader organizational mission leads to a litany of issues: budget requests fall on deaf ears, cybersecurity teams are constantly under stress, CISOs feel like glorified systems administrators, and have very little visibility within executive circles. For too long, cybersecurity professionals have advocated for greater business visibility and influence. But they also need to play their part, particularly by articulating this crucial business risk in ways non-IT business leaders find relatable and understandable.

There is a lot of pessimism always surrounding cybersecurity – what is something that gives you optimism that real progress is being made in the field?
While we have a long way to address the leadership skills gap, there is a growing self-awareness among experienced cybersecurity professionals that sharpening their executive influencing and communication skills is a must-have to land CISO roles. Over the last three years, we have trained hundreds of seasoned and aspiring CISOs from more than 50 countries at the Cyber Leadership Institute. So, I can say from the frontlines that the tide is growing stronger. That, combined with the continued uptake of reputable ISACA certifications such as CISM, CRISC and CGEIT, gives me a reason to hope that we will soon close that expectations gap.

If you could change one thing about the way many boards and CEOs view cybersecurity, what would it be?
To change the widely held perception that security is a cost center or compliance initiative to that of an integral force that, if done right, can foster business growth and customer trust. Every transformation initiative requires the unwavering support of boards and the C-suite – cybersecurity is no different.

The most senior officers must role model expected behaviors and uphold the virtues of their cyberrisk appetite. They must also embed cyber-risk governance into the bloodstream of their enterprises, making it an inevitable and inconspicuous part of strategic and operational decision-making and, as a result, fostering transparency and accountability. The more executives we see play a lead role, the more resilient our digital world becomes.

How would you characterize the initial feedback you’ve received on The Gift of Obstacles? Has anything surprised you?
I feel extremely humbled that my long and winding story, which started with lots of challenges, has inspired so many people to dream beyond their self-imposed mental limitations. But I wasn’t surprised. Snippets from my career story had already helped many people overcome seemingly insurmountable obstacles. That early feedback motivated me to dig deep and write my memoir. But these are early days, the memoir is only three months old. My goal is to keep showcasing the remarkable power of education and grit to defeat poverty and despair.