Are Your IT and Infosec Leaders Up To The Task?

Posted by Craig McDonald on 22 February 2019 11:01:56 AEDT

Cybersecurity is everyone’s problem. Execs, the board, staff on the ground, and especially your IT and Infosec leaders. The question is, are they up to the high-pressure demands in these ever-changing times?  

According to the World Economic Forum’s Global Risks Report 2019, data theft and cyberattacks are among the top 5 global threats facing the world today, right behind extreme weather events (floods, storms etc.), failure of climate-change mitigation & adaptation and major natural disasters (earthquakes, tsunami etc.).

Cyberattacks are serious, and the survey highlights that attacks have close to doubled across the past 5 years, with “The cost of cybercrime to businesses over the next five years expected to be US$8 trillion.”

I’ve talked a lot previously about cybersecurity needing to be addressed from the top, through CEOs and cultivating a security culture within your business. But while leadership from the top is critical, so too are the abilities of your IT and Infosec leaders.

How can you tell that your IT and Infosec leaders are up to the task of sufficiently addressing your cybersecurity needs in 2019 and beyond?

What do your IT leaders’ report cards look like?

I’m not talking here about your leaders’ personal performance evaluations. To expertly determine their report cards as it pertains to their ability to meet current business cybersecurity requirements, you need to take a look at what exactly they’re measuring for company success and KPIs: their metrics.

In Thycotic’s 2017 State of Cybersecurity Metrics Annual Report, they reported that:

  • 58% of companies scored a failing grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices, and
  • 4 out of 5 companies worldwide are not fully satisfied with their cybersecurity metrics

What quantitative metrics are your IT and Infosec leaders using to report on the state of the company, improvements, and incidents? How can you tell if they’re “good enough?”

Well, there’s always the option to check out what other businesses are doing. Here are some measurable metrics from the FY 2019 CIO FISMA Metrics:

  • Number of users that are required to authenticate to the network through using a two-factor PIV credential
  • Number of users with privileged local system accounts
  • (Remote access) Percent (%) utilizing FIPS 140 validated cryptographic modules
  • Mean time for the organization to restore operations following the containment of a system intrusion or compromise over the prior 12 months

Do your leaders keep up with the rate of change of the cybersecurity landscape?

An IT or Infosec leader who is resistant to technological change, or who isn’t always talking about new threats, or new security products is a danger to business. If I had someone like this on my team, I’d be worried - and seriously thinking about a staffing reassignment.

While it may be frustrating to your C-suite and the board to constantly be bombarded with requests for IT expenditure or infrastructure, or for adjustments to your strategy to mitigate new threats, if your leaders aren’t doing this, then it’s possible they’re just on autopilot - posing a serious risk to business.

These are some indicators that your leaders aren’t keeping up:

  • They aren’t actively reading about and exploring the changing cybersecurity landscape on a daily basis (yes, reading the news here is a critical task)
  • They rely on legacy cybersecurity products and haven’t requested new products any time recently
  • They use the same reporting metrics every quarter
  • They have minimal requests for cybersecurity strategy or infrastructure changes
  • They aren’t concerned about their budget (unless you’ve given them free reign on spend)
  • They don’t have much to say to execs or the board beyond basic reporting

It’s irresponsible and downright risky for businesses to have staff working in these roles who are just coasting, don’t care particularly about their job, or lack the skills to keep up with the current cybersecurity landscape. If you suspect any of your leaders fit into any of these categories, it’s time to have a serious chat about their career.

Can’t figure out whether your leaders are up to task? It may be appropriate to hire an expert outside firm to come in and assess your leaders’ cybersecurity landscape maturity level, vision, strategy, and KPIs to determine whether they are indeed up to task.

Ask yourself the question: Are we setting our Infosec teams up to fail?

In cybersecurity, we face two significant and conflated challenges: A lack of experience and expertise, and a rapidly evolving threat landscape that demands a dynamic and adaptive skillset. I read recently that 80% of CISOs have been in the role for less than 5 years.

Can your Infosec leaders articulate cyber risk in a way that will make your business sit up and take notice? If you’ve made the right decision and hired the right professional, he or she should be able to fluently explain the cyber risks to your business in a language that doesn’t require a knowledge of Java or Ruby. Work with your Infosec leaders to come up with pre-defined metrics that aren’t overly complex, and that are aligned with the goals of your wider leadership team, so that everyone recognises their value.

Likewise, as with other parts of our business, we must trust our Infosec leaders to challenge our perspectives, and to present alternative points of view. This will enable us to tackle issues in their entirety. Too often we promote inexperienced professionals into this relatively new field, expecting them to fall in line, only to find that they’re left carrying the can when things turn ugly. If you’re hiring yes men or women, you’re setting them up to fail.

When you thrust someone into this role, you are placing an enormous responsibility on them. They must be brave, and they must be willing to continually adapt and respond to the changing landscape. Too often we see businesses that are doing what they’ve always done. Blindly following advice. If you don’t continue to evaluate your toolset against the tasks at hand, your business is vulnerable. A case in point is with respect to multi-layered security. When I hear that a business has dropped a layer of specialist security because they can save money and consolidate the number of vendors, I have to ask what due diligence they have undertaken, and how robust the conversations were inside the business.

I urge you to ask the hard questions of your team now. You’ll be doing them a favour. Don’t wait until after the fact to ask what went wrong.

Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.


You can download my e-book for free, here.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal. 

... ... ...

Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.


Topics: email fraud leadership Craig McDonald Business security social engineering risk management cybersecurity advice cybersecurity culture

Back to Blog


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all