Leadership requires more than just an understanding of your own organisation’s vulnerabilities as many other factors can come into play. Professor Daniel Prince, a Professor in Cyber Security within Security and Protection Science at Lancaster University, explains.

Even major organisations like the NHS are vulnerable

He says: "Not a day goes by without some news story regarding a cyber security incident. One recent example is the attack on a technology supplier for the NHS 111 service. "The fear is that patient records and ultimately patient health could be affected.

The NHS has some of the most stringent codes of connection and information governance requirements in order to work with them as part of their supply chain. They have well-articulated technical and technology requirements regarding security. So, the question that is often asked as a result is, if it can still happen to one of their suppliers what is the point in us doing anything?"

80% of cyber attacks can be prevented with a few basic controls

"The response is simple; it is still true that 80% of cyber attacks can be prevented with a few basic controls. These controls are all outlined in the National Cyber Security Centre’s (NCSC) guidance and advice; what some refer to as the basic cyber-hygiene. The technologies to put the required protections in place are cheap, simple and effective and often embedded in the services companies use.

"Most of it is about protecting your virtual identity; separate private and company passwords, using a strong, easy-to-remember password and using two-step verification. The guidance also talks about making sure your systems are updated and you are making copies of your most important data, both of which only really costs you your time. However, it is clear technology on its own is not enough, even with mounting evidence that it is not IF a business will suffer a cyber-attack, but when - and how much is it going to cost the company."

Technology reflects company culture

"The technology used by a company is a reflection of that company” is a comment that emerged from conversations with colleagues in Lancaster’s Management School. It indicates the technology a company uses is the technological embodiment of the business processes which drive a company and, importantly, its culture. In this case the security of a company’s technology must be a reflection of a company's security culture.

"If a company, and its culture, does not respect or take seriously its security and protection, it should hardly be surprising when the technological systems that company employs are missing simple security measures. Technology can only enforce the policies and procedures which the company deems to be appropriate. There is only so much responsibility that an external supplier, such as Google or Microsoft, can take before the autonomy of your decision making is impinged."

Understanding organisational culture

"Simon Sinek, a well- known leadership commentator and author, has said: 'Cultures are groups of people who come together around a common set of values and beliefs.' It becomes interesting to therefore explore the security and protection values and beliefs within the culture you have in your organisation. It is also important to understand how that culture is led and what leadership, specifically cyber security leadership, should look like to develop that culture."

Cyber leadership is just leadership

"In many ways cyber leadership is just leadership; helping those around you develop and thrive, providing inspiration and bearing responsibility. Read any one of a number of leadership books and they also tell you that leadership can happen at any level of the organisation, from within any role. It is not something only those with chief in the title do.

"But there is something about the cyber component that makes cyber leadership different. At the Cyber Leadership Symposium, held in 2022 at Lancaster to launch our University’s new Cyber EMBA programme, the question of whether a cyber leader needs to be technical was asked a lot. The general consensus was no; but they should be able to work with and get the best out of technical people. This requires a cyber leader to have awareness of technology, but not necessarily deep technical knowledge."

What is important about a cyber leader?

"What is important about a cyber leader, regardless of their role or level within the organisation, is their deep concern for the protection of their business, their employees and their customers. Protection, safety and security is incredibly emotive; too much and individuals feel smothered, too little and they don’t feel cared for. Walking that line is a challenge every cyber leader needs to take up. They must also help to develop a positive security culture which runs alongside day-to-day business to yield benefits for the company.

"Considerable research hours have been developed to security culture, and the UK government has invested in that research through the Centre for Research and Evidence in Security Threats (CREST) or the Research Institute for Sociotechnical Cyber Security (RISCS). For example, one project explores how change can lead to counterproductive work behaviour, it showed how poorly led business change projects can lead to insider cyber threats."

Take action now

"Cyber leaders have therefore been shown to be essential to all types and sizes of organisations and there is lots of help at hand. The NCSC has guidance for leaders and managers to develop positive security cultures, alongside places such as CREST and RISCS.

"But importantly you can take action after reading this article. What is the one thing you are going to do to help lead the security culture in your organisation? How are you going to help those around you to make better security decisions in service to your organisations? Share stories of successes and failures; help people learn. It is only together, through people, we can achieve better cyber security. After all, most organisations prefer to talk about investing in their people, rather than investing in technology."

The next Cyber Security Leadership takes place on Symposium 6th & 7th July 2023: Innovating Cyber Leadership for Global Challenges

Register for Innovating Cyber Leadership for Global Challenges

Professor Daniel Prince is a Professor in Cyber Security in Security and Protection Science at Lancaster University, a new £19m initiative to cement the institution’s position as one of the UK’s leading centres for cyber security research and education.

Extracts from this article were published in business magazine InCumbria

Related Blogs

• 

  Why you should use 2-Factor Authentication

• 

  The Value of Personal Development in Cyber Leadership

• 

  State of the Nation and a Look Ahead

Disclaimer

The opinions expressed by our bloggers and those providing comments are personal, and may not necessarily reflect the opinions of Lancaster University. Responsibility for the accuracy of any of the information contained within blog posts belongs to the blogger.