5.1.23 > CDR Chip Laingen, USN (Ret.), MPA
My current roles in business and academia have afforded me two uniquely rewarding perches from which to view innovation, both in terms of the creation of products and services, and the leadership and management of them.
As the director of a large technology-focused business alliance, I’m immersed in the corporate cultures and strategic plans of many diverse businesses, large and small. And as a graduate faculty member for masters-level degree programs, I’m privileged to witness mid-career professionals study challenges within their firms and put forth recommendations to fix them through their capstone projects. In both instances, I have the luxury of being a neutral third party, free of the risk behind what I recommend; yet empowered by the independence it provides. From that vantage point, it’s been patently obvious to me that the most challenged of business leaders are those who manage cost centers; those non-revenue-generating units like marketing, quality, safety, human resources, and yes, IT/cybersecurity.
Therein lies a leadership challenge for cyber professionals in firms – lots of them – that mistakenly view cybersecurity as a necessary cost rather than the ultimate guarantor of revenues in an increasingly dangerous, interconnected world. The good news is there is a proven formula to create not just a compliant culture, but an enthusiastic and committed one. Here are five key elements of that formula for cyber leaders:
- Communicate both the need and the potential. It’s not enough to lay out the dangers that lie in wait from a cyber-negligent posture; though the “scared straight” tactic can certainly be a good one, given the risks. But as those in marketing will attest, they have to find creative ways to tie revenue gains directly to their efforts. It’s often not an obvious connection, but it can be done. Cybersecurity is the same; its perception as pure defense can also be sold as a strategy for offense, gaining a firm the ability to protect IP, ensuring customer confidentiality and security, and reassuring boards and other stakeholders of more predictable and resilient outcomes.
- Empower everyone. This should be obvious to cyber professionals by now, but it can’t be overstated. From training programs and constant reminders about phishing emails and good password habits, to regular red-teaming of company-killing risk scenarios, a strategy has to be comprehensive across systems, but also inclusive of everyone who touches the organization. And everyone needs to believe they can break a link in a security crisis chain of events.
- Secure both doers and champions. Empowerment efforts are necessary and valiant; but let’s face it: not everyone will care, no matter the risks involved. That’s true in human nature with one’s own personal safety, so certainly we can’t expect everyone to be an ally in the safety of an organization. That means constantly recruiting allies who will both champion your efforts and assist with actually putting safeguards in place and encouraging compliance.
- Make recommendations actionable. Management comes with identifying challenges and recommending solutions. But effective leadership is what makes them happen; and that means what you recommend has to be clearly articulated, universally understood and most importantly do-able. As a cybersecurity professional, what you know and do is not always entirely relatable to your colleagues. You need to ensure that those you empower are resourced and ready as effective allies for your cause.
- Call It Something Else. Finally, and related to #4, the language of the cyber world is unique, as is the lingo in any established profession. What’s obvious to you is likely not to most everyone else in the firm. We might think that terms like ‘breach’ and ‘advanced persistent threat’ and ‘DDoS’ are now ubiquitous enough to be grasped by everyone. Truth is, they’re not. Worse, much like peoples’ perception of the national debt, our constant harping of the risks, real as they may be, might just be lost on a weary audience. It might be worth changing things up when it comes to the messaging of both risks and the protections against them.
For me, being something of an outsider looking into the cybersecurity world, I’ve become immensely impressed by the high level of professionalism among those the industry has produced. They have also helped me understand there are no more persistent and serious threats to our security than what they guard against. My hope is that our cyber professionals match their impressive knowledge with equally effective leadership.
CDR CHIP LAINGEN, USN (Ret.), MPA, Executive Director, Defense Alliance
Chip Laingen is the Executive Director of Defense Alliance, the Upper Midwest defense industry network, with members in 37 states. The Alliance was presented the prestigious “Progress Minnesota” award in 2014, became one of the nation’s three Advanced Defense Technology Clusters in 2010 and won the Veterans Small Business Champion of the Year Award in 2007. He is on the Advisory Committee for Full Stack Saint Paul, Cyber Security Summit and Midwest Cleantech Open; and previously served on the executive commission of the Minnesota Science & Technology Authority, the AirSpace MN and Robotics Alley Advisory Committees, and was selected as an Executive Fellow for the University of Minnesota’s Center for Integrative Leadership in 2012. In 2011 he joined the graduate faculty at the University of Minnesota’s Technological Leadership Institute where he teaches Risk Communications and Policy for Security. He is a past President of the Twin Cities Council of the Navy League and is the author of “Laingen on Leadership.”
You can Connect with Chip here at https://www.cybersecuritysummit.org/speakers/chip-laingen/
And on LinkedIn at https://www.linkedin.com/in/laingen/