In addition to Commander-in-Chief, the President also heads our national cyber planning and operations, both offense and defense. During the past four Administrations, from Clinton to Trump, this duty has only come into public view in the context of election tampering. It is my Number One Prediction for 2021, however, that serious nation-state threats will rise to demand more intense cyber expertise from our President.
To that end, I decided to share the evaluation criteria we use at TAG Cyber to help the largest organizations in the world select their senior-most cyber leadership. Each item in the criteria corresponds to a personal or professional attribute that powerful government and commercial entities use in selecting their cyber leader. This usually comes in the form of a Chief Information Security Officer, a position I held for two decades at AT&T.
The criteria items are typically translated into interview questions for C-Suite members to ask CISO candidates. I was struck by how well each of the six attributes lined up with my opinion of what a President should also possess regarding cyber. In fact, I did not change a single word in the phrasing of this list which I’ve shared with Boards, CEOs, and other executives asking for the most desirable attributes to demand from a CISO candidate.
I would ask that you review the attributes below in the context of the two candidates. Look at each item and ask yourself which of the two men running for our nation’s highest office best possesses that attribute. And yes – I understand that in other contexts, different personal traits might be desirable. But this is an article about cyber security, and the following list should be considered carefully in your vote if you care about our professional discipline:
Can the candidate bring together disparate groups under a common security policy?
The essence of enterprise cyber defense involves bringing together different groups into a mutual coalition to achieve a common security policy. This requires calm, expert negotiation and communication skills, as well as the ability to see things through the personal lens of other executives, leaders, and individuals. Security is not achieved through conflict.
Does the candidate listen to experts and include data as basis for decision-making?
The protection of critical infrastructure from cyber threats is a non-trivial activity, and it requires the ability to listen to security experts (such as you, dear reader of this article). It also requires a willingness to accept actual collected data (e.g., patching statistics), even if this data does not reflect well on the organization’s security and compliance posture.
Does the candidate serve as a good role model for secure IT and mobile usage?
The leader must exemplify good behavior with all IT, mobile, social, and web usage. This includes proper use of devices and Internet applications such as Facebook, Twitter, and LinkedIn. Employees follow the actions of their leader, and sloppy selection of passwords or social posts cannot be accepted in any corporation of meaningful consequence.
Is the candidate expert in dealing with adversaries including disgruntled insiders?
The candidate should understand the cyber adversary and should expertly handle any public discussions of nation-state attribution. Insider threats should also be minimized by creating a supportive work environment so as to avoid disgruntlement. One of the greatest risks to the corporation involves CISOs creating negative work environments for employees.
Will the candidate coordinate with the intelligence community on threat assessment?
Larger companies will be exposed to greater threats from nation-state actors. To this end, the candidate must possess a calm, trusted working relationship with our nation's intelligence community and should avoid any forms of public conflict in this regard. Conflicts with the intelligence community must be handled privately and with great personal negotiations skill.
Does the candidate possess the highest levels of honesty and integrity?
This is the most important skill in any cyber security leader. Without 100% confidence in the honesty and integrity of the candidate, the Board and C-Suite cannot possibly achieve its highest objectives for a meaningful cyber defense. This one personal attribute cannot be compromised ever – and if not present, should be viewed as a disqualifying trait.
Thank you for voting.