Professor Daniel Prince on how to develop cyber security leadership

He says: "Not a day goes by without some news story regarding a cyber security incident. The most recent is the attack on a technology supplier for the NHS 111 service. The fear is that patient records and ultimately patient health could be affected.

The NHS has some of the most stringent codes of connection and information governance requirements in order to work with them as part of their supply chain. They have well-articulated technical and technology requirements regarding security. So, the question that is often asked as a result is, if it can still happen to one of their suppliers what is the point in us doing anything?

The response is simple; it is still true that 80% of cyber attacks can be prevented with a few basic controls. These controls are well embodied in the NCSCs guidance and advice; what some refer to as the basic cyber-hygiene. The technologies to put the required protections in place are cheap, simple and effective; often embedded in the services companies use.

Most of it is about protecting your virtual identity; separate private and company password, using a strong, easy to remember password, using two-step verification. The guidance also talks about making sure your systems are updated and you are making copies of your most important data; Both of which only really costs you your time. However, it is clear technology on its own is not enough, even with mounting evidence that it is not IF a business will suffer a cyber attack, but when and how much is it going to cost the company.

“The technology used by a company is a reflection of that company” is a comment that emerged from conversations with colleagues in Lancaster’s Management School. It indicates the technology a company uses is the technological embodiment of the business process which drive a company and importantly its culture. In this case the security of a company’s technology must be a reflection of a company's security culture.

If a company, and its culture, does not respect or take seriously its security and protection, it should hardly be surprising when the technological systems that company employs are missing simple security measures. Technology can only enforce the policies and procedures which the company deems to be appropriate. There is only so much responsibility that an external supplier, such as Google or Microsoft, can take before the autonomy of your decision making is impinged."

Simon Sinek, a well known leadership commentator and author, has said: “Cultures are groups of people who come together around a common set of values and beliefs.” It becomes interesting to therefore explore the security and protection, values and beliefs the culture you have in your organisation. It is also important to understand how that culture is led and what leadership, specifically cyber security leadership, should look like to develop that culture.

In many ways cyber leadership is just leadership; helping those around you develop and thrive, providing inspiration and bearing responsibility. Read any one of a number of leadership books and they also tell you that leadership can happen at any level of the organisation, holding any role. It is not something only those with Chief in the title do.

But there is something about the cyber component that makes cyber leadership different. At the recent Cyber Leadership Symposium held at Lancaster to launch our university’s new Cyber MBA programme, the question of whether a cyber leader needs to be technical was asked a lot. The general consensus was no; but they should be able to work with and get the best out of technical people. This requires a cyber leader to have awareness of the technology, but not necessarily deep technical knowledge.

What is important about a cyber leader, regardless of their role or level within the organisation, is their deep concern for the protection of their business and their employees. Protection, safety and security is incredibly emotive; too much and individuals feel smothered, too little and they don’t feel cared for. Walking that line is a challenge every cyber leader needs to take up, plus they must also help to develop the positive security culture that runs alongside to yield benefits for the company.

Considerable research hours have been developed to security culture, and the UK government has invested in that research through the Centre for Research and Evidence in Security Threats, or the Research Institute for Sociotechnical Cyber Security. For example one project explores how change can lead to counterproductive work behaviour, it showed how business change projects poorly led can lead to insider cyber threats.

Cyber leaders have therefore been shown to be essential to all types and sizes of organisations and there is lots of help at hand. The NCSC has guidance for leaders and managers to develop positive security cultures, alongside places such as CREST and RISCS. But importantly you can take action after reading this article; what is the one thing you are going to do to help lead the security culture in your organisation? How are you going to help those around you to make better security decisions in service to your organisations? Share stories of successes and failures; help people learn. It is only together, through people, can we achieve better cyber security. After all, most organisations prefer to talk about investing in their people, rather than investing in technology.