Transformational opportunity for firms, or tactical trap for the CISO?
As the COVID crisis continues to develop, one thing is becoming clearer and clearer: Remote working is here to stay, in some form or another; probably as hybrid work. Technically, it has scaled, and it has worked. Throughout the pandemic, it has enabled many industries worldwide to continue operating, and many people to keep their jobs.
From an acceptance perspective, it’s another story. I am yet to meet a single person who would endorse it fully. At one extreme, it disturbs family life, increases isolation, and can lead to depression or burnout. More generally, people accept that it can bring valuable flexibility – in exchange of necessary adjustments in their work-life routines – but most miss the camaraderie of the office, the coffee machine discussions and the afterwork bonding.
I have heard many people around me say they were working considerably more under lockdown than before; whether your productivity actually increases through back-to-back conference calls is another matter, but that was their perception.
From a leadership perspective, it’s also another story. The shift to remote work has been extremely fast at the start of national lockdowns. Throughout 2020, most of the organisations which adopted it, kept it as their main operating mode throughout the year; very few have “returned to the office” at scale.
But leading through remote interactions has little to do with leading through direct human interactions.
It requires a different form of empathy, and more importantly, it requires an adjustment in the attitude of the leader, in absence of all the subjective context provided by informal interactions and body language. Face to face, a good manager should sense if the person on the other side of the table is comfortable, uncomfortable, or nervous; in a meeting room, there are always some people more engaged than others across the table, from those jumping up and down to those falling asleep; over a conference call, most of those signals – which a leader should otherwise capture and address – are often lost…
Very few leaders have been trained in any way for this; there was no time for it at the start of the crisis – or since. Some would have had natural leadership qualities and would have adjusted, but many have struggled and are still struggling.
As the COVID crisis unravels and people adjust to some form of new normal, we could be heading for a multi-year period of remote or hybrid work in many industries, with an unprepared middle and upper-middle management layer, struggling and overworked, and not learning – through human interaction – the unvaluable leadership skills they will need at the next stage in their careers. There is potentially a concerning “lost generation” problem here if things persist.
Why is this particularly relevant for cyber security? Because the role of the CISO is already in transition, and its complexity makes it particularly vulnerable to that type of situation.
If they want to avoid the firefighting trap, CISOs have to lead by influence, working across silos, with business units, support functions and the Board, not only to drive the right security culture, but also to embed the right security processes and tools across the business.
More and more, because of the transversal complexity of cybersecurity matters in the modern enterprise, it is the management acumen, the political intelligence, the personal gravitas that make a successful CISO, more than their raw technical knowledge.
Building those relationships and driving those interactions face to face is hard enough, particularly in large or global organisations. But doing it remotely is close to impossible, in particular to the unprepared CISO, or in industries where management has been incapable of looking beyond the mere tactical day-to-day throughout the COVID crisis (instead of looking for transformative opportunities).
Although it has brought cyber security under the spotlight and might bring more resources in some industries (where digital is key to keeping the lights on), the COVID crisis might become the ultimate “tactical trap” for the CISO, preventing them from developing beyond day-to-day firefighting and extending the spectre of the “lost decade” we diagnosed in earlier work in 2019.
Change can only come from the top, with senior management embedding cyber security in strategic objectives as a pillar to the stability of their new operating models, moving away from mere operational approaches, and creating a new governance bond across all cyber security stakeholders.