So you’re a cyber leader? Well, make sure you get on (the) board

A look into the problem cyber leaders face…and the solution

Today, top management is placing cyber increasingly higher on its priority list and giving it a seat at the board of directors, calling for cyber leaders to shift to a business-aligned security combined with a risk-based approach. 

The results of PwC’s 26th Annual Global CEO Survey – Winning’s today’s race while running tomorrow’s – back this up. Around 48% of global CEOs say they are increasing investment in cybersecurity or data privacy in response to rising geopolitical conflict. 

Unsurprisingly, this is also reflected in our 26th annual CEO Survey – Luxembourg Findings. When asked how exposed they believed their company will be to cyber risks in the next year and the next five years, 20% and 25% of CEOs answered affirmatively respectively.

However, to make the investment in cybersecurity or data privacy effective, and to develop and execute an efficient cybersecurity strategy, you need leadership – and dare we say, robust leadership.

This starts with top management buy-in, but it also requires the commitment of Chief Executive Officers (CEOs) and Chief Information Security Officers (CISOs) to establish trust between each other, foster open communication, to be aware and up-to-date on trends, and to allocate enough resources to their teams for protection. CEOs and CISOs will also need to work together to develop and implement a cohesive cybersecurity strategy that aligns with the company’s business goals. 

Sounds pretty good and simple, right? Sadly, we are just describing to you the ideal world because we aren’t quite there yet. Many of the management and/or board of director meetings still proceed without a cyber expert or someone with the adequate cyber security expertise being present —and he/she should definitely have a seat at the table to share his/her vision and knowledge on cybersecurity. So how to turn this around? 

Why leadership is important in cybersecurity

The field of cybersecurity is facing a number of issues as François Thill, Director cybersecurity and digital technologies at the Ministry of the Economy, pointed out during his intervention. These include the asymmetry of information, the scarcity of experts and the fact that they work in silos.

Additionally, cybersecurity providers don’t define and adopt common practices to reach interoperability all along the value chains. He also stated that while cross-border cooperation exists between governments, it’s still scarce and ineffective given that they are bound to their territory, creating disruption.

François also mentioned that in Luxembourg companies might be experiencing the same threat every day, but  they only share the threat information, not the impact and resolution elements when getting hit. As a consequence, they don’t create an environment where resources can be used more efficiently. As he put it, “all companies have these problems, so why not exchange for the sake of scalability and affordability?”

Leadership is crucial when addressing this myriad of growing cybersecurity challenges, as it requires a coordinated effort across different teams and departments. But for François, it’s a practice rather than a position. The cyber leader doesn’t have to be the CEO or the CISO because leadership works at individual, team, organisational and societal level. 

“Distinguishing leadership from authority helps us begin to see that if we understand leadership as a practice, as an activity, then it becomes available to anybody, high or low, any place or position,” he said.

He also emphasised the importance of leaders connecting with their peers and sharing information, of promoting research, as well as to stop considering threat intelligence information as confidential, which, in his view, annihilates the solving of an issue. 

The purpose of the Data Protection Officer and the Privacy Leader 

Now that we established why organisations need leadership in the cybersecurity field, it’s time to delve into some of the leadership roles, their similarities and idiosyncrasies. Tine A. Larsen, President of the Commission Nationale pour la Protection des Données (CNPD), who joined the event for a second time as a keynote speaker after her intervention in 2021, did just that for the Data Protection Officer (DPO) and the Privacy Leader. 

In her view, designating the role of the Privacy Leader is fundamental. However, there is still no widely accepted definition as of now and it isn’t referred to in the European Union (EU) law. The role of the DPO, on the other hand, is usually required under the General Data Protection Regulation (GDPR). 

This means that it’s up to the companies to decide whether or not to appoint a Privacy Leader and to define the role as they see fit. However, what’s crucial for her is to formalise the Privacy Leader’s involvement, preferably in the organisation’s internal rules and policies, to make a clear distinction between his responsibilities and those of the DPO.

For Tine, the fields of the DPO and the Privacy Leader are different, but can be complementary and sometimes even overlap. For instance, when it comes to raising awareness and identifying risks related to data protection, monitoring internal policies and providing advice.

Despite this overlay, the Privacy Leader can’t replace the DPO. For example, if a DPO has been appointed, the Privacy Leader can’t be the contact point for the supervisory authority or data subjects. 

According to Tine, these are the tasks of a Privacy Leader:

• Manage the risks related to data protection and privacy in the interest of the organisation;
• Help the organisation to comply with the GDPR;
• Provide information and advice accordingly;

The objectives of the Privacy Leader can diverge from those of the DPO, as the latter has the interests of individuals at the centre and the former acts in accordance with the interests of the organisation. This has an impact on how they carry out their tasks.

When and why to appoint a Privacy Leader 

As mentioned by Tine, unlike the DPO, the Privacy Leader is appointed on a completely voluntary basis, and hence such appointment should be done if the risks related to data protection are significant enough to justify the allocation of resources to the position. To put it simply, it’s an investment to avoid or mitigate risks. 

She also outlined the many benefits of having a Privacy Leader, who:

• Contributes to promoting a data privacy and privacy “culture” within the organisation; 
• Increases the visibility of the issues related to data privacy and privacy within the organisation as well as outside with people and stakeholders;
• Contributes to the drafting and verifying of proper implementation of internal rules and policies;
• Provides relevant advice and opinions to tackle identified risks;
• Promotes the compliance of the organisation.

The significant role of CISOs

During his keynote speech, Tim Cook, Partner at Acertitude & MD of Kafue Consulting, underlined the need to remind CISOs that “they are very connected and that cyber warfare is a non-kinetic threat that is very present.”

CISOs have a strategic importance within a firm, they are problem solvers, pragmatic and they act like a parachute for their company. On the basis of this observation, he introduced the CISO maturity model, defining the different faces a CISO profile can have: from merely technical support that challenges the existing cybersecurity culture, to shaping attitudes, to defining a new firm culture, which represents the highest level of maturity. 

Moreover, the CISO is a highly trusted role. But how do you build trust when at a moment of crisis you can’t give to your colleagues all the info that they need because you don’t have it yourself?

That’s why maintaining trust by preserving relationships is critical. Good CISOs see the big picture, they see a gap and they take responsibility even when it’s within another department, such as the Chief Information Officer’s.

The making of cyber and privacy leaders

As Koen Maris, Advisory Partner and Cybersecurity & Privacy Leader at PwC Luxembourg, pointed out, leadership comes in many forms, sizes and colours. Hence, its definition is rather subjective: what makes a good or a bad leader is always debatable and differs from individual to individual. 

We can attest to this. When searching for leadership skills for cybersecurity and privacy professionals on the web, we got different results each time. Nevertheless, we think we can all agree that leaders guide teams with members that have different skill sets, and their main challenge is to find a way to bring that diversity of competencies together in one strategy. 

For Koen, a good leader questions himself, and challenges the status quo by asking, “Is it how we do it in Cybersecurity really the right way?” Similarly, François Thill urged cyber leaders to dare to leave their comfort zone and advocate for a sustainable change by taking advantage of obvious synergies. This is particularly true for large companies that are too quick to believe they are protected from attacks, when in fact they—and their supply chain—can be the most affected.

According to François, a leader is a good communicator, has a clear vision, empathic skills, isn’t arrogant, and should be someone who is ethically correct and—very important— accountable. 

Tine A. Larsen, on the other hand, focused specifically on the skills and knowledge a Privacy Leader should have, which are similar to those required from the DPO. She said this role requires expert knowledge of data protection law and practices, a strong understanding of the issues the organisation faces as well as management, communication and legal skills, and knowledge of information technology and data security (the level depends on the complexity of the company’s systems).

Lastly, she highlighted that the Privacy Leader should be a visible role and seen as a coordinator of multiple jurisdictions.

How to get top management buy-in 

As we mentioned previously, cyber and privacy professionals have in their hands the important task of getting top management to invest and make cybersecurity and privacy a top priority in their busy, sometimes conflicting, agenda.

However, many DPOs have a legal background and haven’t developed the skills necessary to effectively communicate with top management to buy into their data protection work and justify the budget that is needed. Moreover, they usually aren’t familiar with business models.

That was exactly the focus of Tim Clements’s keynote speech, a Business Owner and a Privacy Professional at Purpose and Means. For him, the lack of buy-in is often a question of perception. 

The challenges DPOs face are manifold, and include budget allocation, which is normally quite tight, but nevertheless should be better allocated. As he put it, “If you don’t ask, you won’t get it.” Thus, you need a compelling case. Tim also pointed out that data is everywhere in a business, including in digital marketing and product development, and yet the DPO still works very much alone, working in silo.

Therefore, DPOs want to start to actively communicate on their role’s purpose to change the perception that they are the necessary evil to avoid fines and penalties, and to be compliant. To achieve this, DPOs need to make their work resonate and more valuable to their colleagues. 

He also encouraged DPOs to use strong analogies with top management as a way to demonstrate the value of their work. He gave the example of brakes: at first, we may think that they are there to make us slow down and stop—which they do. But they are also safety controls, assuring us that we can go fast. 

The same applies to the DPOs: they aren’t there to stop the company’s work—unless there’s a legal issue—but to bring assurance. 

A word on breaking barriers with Leadership and Diversity

We couldn’t talk about leadership in cybersecurity without mentioning diversity. These two should go hand in hand. In her inspiring speech, Jelena Zelenovic, CISO at the European Investment Bank, was adamant about the benefits of having a more diverse leadership in this field, which is still very dominated by men, and of diversity being part of the business strategy of any organisation.

Making it a reality requires a collaborative mindset, more women in leadership roles and more women supporting and promoting each other’s achievements to break the barriers. At the same time, men also have a role to play as allies.

She pointed out that as the cybersecurity functions become more diverse in terms of tasks and responsibilities—along with cyber threats—it’s crucial to have a diverse team that can bring different perspectives. 

And there is more than just the need for diversity based on gender. In fact, Jelena underlined that cyber criminals don’t see gender, and neither should we. Cultural diversity is also important because it allows us to better understand the different ways people approach security, which then allows us to come up with better solutions and thus better protect assets.

 

Conclusion

Cybersecurity and privacy are indispensable elements of every organisation working in today’s digital age. It’s time to overcome the misconception that many people still hold that technical skills and expertise are all it takes for cyber and privacy professions to carry managerial roles. On the contrary, they should also have solid soft skills and personality traits to help them flourish in this complex profession. 

One of the key takeaways of this year’s PwC Cybersecurity & Privacy Day, however, is that there’s no one set of soft skills one needs to master to become a great cyber leader. Still, there are some competencies that the keynote speakers—and the internet—agree on.

Cyber leaders need to think critically and earnestly collaborate with the entire organisation to drive positive change within it and create a resilient digital ecosystem. That’s why it’s fundamental that they focus on relationship building (and nurturing) and foster a culture of shared work priorities and vision.

They also need to communicate clearly and concisely on objectives, strategies and feedback with their team members—to encourage them to voice their perspectives and concerns openly—as well as with board members and senior executives to get their attention and support.

What cyber leaders shouldn’t be is confined to compliance. Yes, that’s still an important part of the role, but it goes beyond that. They also have a strategic role to play, devising high value cyber resilience strategies and making the important link between cyber strategy, business strategy and business risk.

Last, but not least, cyber leaders need to be able to work under pressure, be good communicators, and have integrity and ethical conduct. Oh, and don’t forget that they also need to be fine with not having all the answers right away and being wrong at times—that requires humbleness.

With these skills, and perhaps some more, they will be better equipped to solve the intricate issues and protect their organisation’s valuable data from the relentless cyber threats that will certainly come their way.

 

What we think