Four reasons why leadership trumps compliance
The problem with U.S. cybersecurity is simple: compliance, benchmarks, and checklists have become a substitute for real leadership. This is understandable, but an indefensible mistake.
Compliance, benchmarks, and checklists can always help cybersecurity improve, but never enough to compensate for a lack of leadership. Far too often, in my opinion, organizations are relying on tightly scripted audits, consensus benchmarks, and information sharing to unite people around cybersecurity. While these are essential tools, they are poor stand-ins for leaders who can forge clear agreement about challenging policy decisions and drive deep conversations needed to make tough trade-offs. In other words, cybersecurity is more and more guilty of abdicating leadership to compliance.
There is no substitute for the sheer power of having leaders face into the stickiest and murkiest of challenges. But this is not case, especially in the United States and especially as the top cybersecurity position in the United States remains unfilled. We remain a leader, without.
For several reasons, leadership can only achieve what compliance, benchmarks, and checklists cannot.
First, leaders face into issues that compliance cannot fathom. Compliance rarely examines broader questions regarding value that security leaders routinely confront:
- What is the role of security?
- How do we measure and improve the impact of security on our endeavors?
- What innovations should we be exploring?
- What strategies are likely to achieve better outcomes?
In other words, compliance is blind to value and insensitive to risk. Compliance eclipses what means most to us. Compliance is about doing things right, not about doing the right things,for the right reasons, to the right effect.
Second, rules restrict when and how decisions are made. In contrast, strong leaders respond dynamically from a portfolio of options. Too often, security leaders have their hands literally tied by compliance, benchmarks, and checklists, and sometimes do it to themselves.
My experience suggests that organizations try to solve security problems that stem from lack of security leadership by ladling on more checklists and benchmarks. The hidden assumption is that greater alignment and better security decisions would result from clearer rules, tighter conformance, more meetings, different people at the meetings, and more procedures and checklists. I believe they couldn’t be more wrong, and in so doing exacerbate their challenges.
Security programs transform into a mammoth system of checks and more checks, involving long, arduous meetings, voluminous audits, multiple committees, and questionable outcomes. Worse, stakeholders become more disaffected, more frustrated, and more alienated. As a result, support, participation and ultimately credibility plummets.
In comparison, strong leaders are dynamic in planning and action; they see options, not rules. As General Colin Powell remarked, “leaders honor their core values, but are flexible in how they execute them.” Compliance is a laggard on the battlefield; an inflexible framework that teleprompts our actions to the enemy. Leadership is about confronting risks on the horizon, adapting accordingly, and being a pain-in-the-ass to the enemy, not stakeholders.
Third, compliance is an accounting, leaders are accountable. Certainly, compliance, benchmarks, and checklists provide insights into behavioral details, but therein lay the temptation to abdicate leadership: transparency is not equivalent to accountability.
Ironically, compliance, benchmarks, and checklists promote transparency but not necessarily trust. Compliance, benchmarks, and checklists cannot make people trust each other – trust is built at a personal level, from regular contact with an accessible leader and from systems that reflect and support what people want to do. Security leaders can earn trust by demonstrating that they understand difficult situations from the viewpoint of their peers or customers, by examining security options as a future investment rather than as technology solutions and by managing security by outcomes, using metrics that have meaning to their audience, not themselves or technologists. This takes effort; it takes conversations.
Finally, compliance, benchmarks, and checklists by their nature lack the focus, energy, and high-level attention that an individual leader can provide.Trusted, credible leaders articulate a vision for security’s role and ensure that this vision is clearly understood by the audience. To do so requires tacit interactions by a leader, not memos, not benchmarks, not checklists.
Without a leader, compliance, benchmarks, and checklists are like a vehicle without an engine. U.S. cybersecurity is currently stalled, not only because the top cybersecurity position remains unfilled, but because cybersecurity leadership in general remains unfilled. Compliance is in the driver’s seat and as a result, our costs remain high, transformation is slow, and outcomes are disappointing.
True leadership is rare. This is indeed true. True leadership results only from deliberate effort and focused attention; from commanding the environment instead of being commanded by it. It’s tough, dirty, challenging and ultimately the most rewarding thing we can do for our profession. In the end, compliance is no substitute for real leadership. Compliance is a tool, but for heaven's sake, don't let it lead.
