Breaking the perverse model

Breaking the perverse model

Too many people still think cyber risks are not real. “It won’t happen, because it has never happened before.” There lies the biggest challenge. The employees of a company pose a challenge for cyber-risk professionals. Time and again they turn out to be the weakest link in the chain. There are also charlatans which appear on the market. Security is a growth market where a lot of money can be made. Every opportunist can present himself as a cyber-risk professional in order to get his share of the pie. Separating the wheat from the chaff is not a simple task. How do you choose the right provider for your organization? And what do the various certifications mean?

Many providers make it a sport to collect as many certificates as possible. The abbreviations fly around on their websites – CISSP, CISM, GISF, CASP, SSCP and so on. Behind every abbreviation there is a very banal revenue model. For each certification one has to pay, which is odd. Why should you have to pay to prove your own expertise? Just as in education, a certificate stating your level of skill, should not be associated with a financial incentive. These certificates can’t then possibly be independent. The European e-Competence Framework and its specifications for security professionals needs to be adopted by nonprofit educational institutions.

A curriculum vitae may perhaps tell you more about the expertise of a person you may hire. What is someone’s education, where did he/she work, are there recommendations? Or in the case of a provider: which customers have they served and how satisfied are they with the delivered services? That way you get a better insight. So proper due diligence is key. Make sure that you’re hiring a reliable party. Consult peers who are not in IT. Get advice from someone who works in a different, more mature sector, such as finance or aviation.

And the golden rule ‘penny wise, pound foolish’ also applies to services in the field of cyber risk. Suppose you need to hire a penetration tester. Be aware that offers that only charge a fraction of what the market usually requires, can’t possibly give you what you need. At best you may get some kind of refined vulnerability scan.”

A leader should be able to spot that intrinsic drive in people and thus in a provider. Good leaders have self-knowledge. They must know their own strengths and weaknesses. When it’s clear what you’re not so good at, you know what skills you need to get elsewhere. This can be managed with a science-based ‘resource-based view’. That framework helps you to optimally exploit the strategic resources of an organization – people, money, resources, technology. Where are the good people and the good teams? Who should I hire?”

A leader must also be able to rely on himself too, for example, be able to resist the perverse incentives. How far do I allow myself to be carried away by FUD emotions? How strictly should I sail my own course? Those who are good at this are real CISOs who can truly separate the sense from the non-sense.

Among many definitions, leadership can be portrayed as motivating people in such a way that they will do the right things on their own. On the other side of the spectrum, there is still the ‘leader’ who belittles his/her people and mainly points out what they have done wrong. “Didn’t I tell you to set up that firewall like this? Now see what has happened: we’ve been hacked.” To break this kind of non-constructive vibe, you can only tell those ‘leaders’ that they should restrain their negative inclinations.

When you can’t get rid of these people, the most practical thing is not to involve them in projects. You don’t want their destructive influence to affect a team’s flow. The same applies to employees. Nobody wants a grumbler in their team. Notorious complainers are best helped by saying: “You need to tackle your problem on your own, or the time has come for you to think about whether this is the right place for you.”

As a leader, the trick is to find the right balance between standing firm on your vision and being flexible, open, and transparent. Both are needed. Specifically when things absolutely need to happen, because if they don’t, harm will be done.

Employees who really love their profession do not want their skills to be called into question by their managers. Recognize the craftsmanship of your people. “You’re the expert!” That way you encourage someone to go that extra mile. That woman or man works an hour extra to really understand a topic and learn more about it or in order to complete an important checklist after working hours.

This is related to the corporate culture, or what Professor Sumantra Ghoshal refers to as ‘the smell of the place’ (1). It’s not helpful when there is little or no mutual understanding between IT and the business. Anyone who hears conflicting messages will not easily maintain that intrinsic motivation. It has to do with both nature and nurture. The intrinsic motivation must be there naturally, and the right incentive can make it thrive. The danger of an overly strict hierarchical corporate culture is that it can kill intrinsic motivation. When someone has tried for half a year in vain to be recognized and treated as an expert, she/he will no longer fight. They have been crushed and will not go the extra mile. The true craftsmen will make sure they leave the ‘stinking place’.

Another question is: how good or reliable are the digital giants with their security service offerings? How deeply entangled is Chronicle Security from Alphabet with all the other endeavors from Google? Or Sentinel from Microsoft for that matter? Companies such as ATOS, HP and IBM have many hosting services, while their cybersecurity divisions are rapidly growing as well. It seems like they are cleaning up their own mess, so perhaps their security services should be free of charge.

Is the perverse incentive a given or can we make it disappear? For example, recent protests against financial exploitation by IT vendors, who keep their customers imprisoned in a lock-in, are getting louder. This too has to do with maturity.

Many providers, such as Salesforce, charge their customers extra for safe data processing. That is strange when we compare this with the automotive industry, where many features – electric windows, airbags, cruise control – are just standard issue. These are not regarded as extras. Major steps have been taken in the automotive industry to make cars safer. This increased quality of the product as part of the service is driven by the wishes of customers. On the other hand, the regulations act as an incentive for improvement. The automotive sector is highly regulated because the consequences of malpractice by manufacturers can be dire: a lack of quality can result in deaths. The same applies to healthcare and aviation.

Similarly, the cyber-risk field benefits when security suppliers and security professionals must comply with stricter regulation. That will only happen with stricter regulations or more attacks. And more maturity, where true customer focus results in added services and quality without charging more, is also needed.

This part is taken from the book Leading in Digital Security – Twelve ways to combat the silent enemy. If you want to read more you can order de book on or in digital format on most online bookstores, e.g. Amazon (iBooks will be available soon).

(1). The Smell of the Place – Talk on Corporate Culture by Prof. Sumantra Ghoshal.