Chapter One

1. Know the Expectations (or Lack Thereof)

The ideal situation: a newly hired CSM reports for duty and, on his or her first day, is presented with a set of specific expectations and detailed objectives for cybersecurity set forth in a clearly written cybersecurity plan. The plan provides the CSM with concrete goals to work toward. It allows the CSM to hit the ground running and achieve maximum results in the shortest time possible. The CSM will be extremely effective because the company has a detailed cybersecurity plan in place.

Sound good? When it happens, it is. But how often does it happen? Almost never.

Most of the time, the company has no plan, no set goals, no idea of scope and no clear expectations for the CSM they just hired. Typically, the company is only able to express to the CSM a vague desire, like ‘We want our data to be safe’ or ‘We don’t want to get hacked again.’ That’s not a plan.

In fact, most of the time, the company expects the CSM to come up with the plan. They also expect the CSM to resource, scope and execute the plan. The CSM, meanwhile, depends on the company to define parameters and provide a budget. With each party operating under the impression that the other should be providing the basic necessities, the CSM’s role often stalls out within the first week or two on the job.

It’s not that the company wants to leave the CSM in the lurch. Quite often, when a CSM is hired, it’s the first time the company has ever hired a dedicated cybersecurity manager. The company has no experience with having a CSM on staff. They have no history or established protocol for how to manage a CSM. They have no idea how to best utilise this new asset. The company isn’t thinking about what additional resources or support the CSM may require; they are primarily focused on budget.

Mismatched Talent

When a CSM is hired, they’re usually expected to function independently of any one department or team. Within any company, there are internal teams, or tribes, such as operations, finance, sales, marketing, legal, IT, brand management and so on. Since the cybersecurity role lies outside those power teams, the CSM has limited influence within the company. The way forward for the CSM is to work within the internal corporate structure to get on the agendas of those teams and personally influence the key stakeholders and decision-makers.

In many ways, the CSM’s effectiveness is limited by how well they can navigate the internal power structure of the company. CSMs have to work hard to gain acceptance into these tribes. This part of the job is something that is never mentioned in working contracts, it’s seldom taught in universities and it can come as a surprise for CSMs without significant experience.

For example, we know of a company that hired a very proficient-looking CSM with an impressive CV. While the CSM had deep technical experience, he lacked the people skills to work effectively within the company’s corporate culture. Instead of taking the initiative and proactively forging relationships, he waited around for department heads to invite him to a meeting. He ended up sitting in his office all day on the computer instead of communicating with company leaders and managers. In the end, he achieved little to improve the company’s cybersecurity, all because there was a mismatch between the company’s expectations and the CSM’s expectations. Each was waiting for the other to take action.

Sometimes companies don’t even know what kinds of skills the cybersecurity manager should have, so they end up hiring the wrong kind of talent with the wrong expertise. Hiring a cybersecurity manager with the wrong skillset is going to end in failure because the person hired doesn’t match up with the actual needs of the company. But it’s not the CSM’s fault, because the company didn’t know what they needed to begin with and didn’t make it clear during the hiring process.

If the company misunderstands the role and hires the wrong person, then little will be accomplished.

Problems Lie Ahead

Most companies hesitate to commit sufficient resources and budget for a robust cybersecurity programme. They often believe that the cost of hiring a CSM is the only investment they will have to make, though that is rarely the case. (The truth is that a viable defence against cyberattacks can cost hundreds of thousands of dollars.) Effective cybersecurity requires a significant investment beyond hiring someone to manage it.

That’s because cyberattacks affect a company on all levels—they require an immediate response, a careful consideration of the effect on corporate reputation and an adjustment of future growth predictions. When an acute crisis hits, the company first has to focus on the immediate practical problems, like endless help desk calls, a backlog of customer requests, and the possibility of being sued. Crisis management is the order of the day. At the same time, investors and owners are wondering how this hit to the company’s reputation will hinder the growth of the company. Inside the company, managers and employees worry about their own jobs and liability; outside the company, regulators and society are probably already reacting. The dollar cost of the attack itself is probably one of the last things on people’s minds.

Hiring a manager is only the first step. The manager may need to call on existing staff to take on new tasks; for instance, a network engineer might need to develop skills in network monitoring. Internal staff will be needed to build and execute solutions, and it may be necessary to hire external companies as consultants and to test the systems. If additional hardware and software are required, internal IT resources may have to be reallocated. These represent significant costs.

Nevertheless, many companies refuse to allocate sufficient budget funds to cybersecurity—either to fix problems caused by a known cyberattack or to prevent an attack in the first place. So CSMs often find themselves in the difficult position of doing what they can with limited resources, even if it won’t be enough. If CSMs don’t have the interpersonal skills and initiative to gain access to key decision-makers in the company to lobby for more internal and external resources, they simply won’t be successful.

What does a lack of success in this role look like? If the CSM is ineffective, the company’s cybersecurity won’t improve, and may even be diminished. That exposes the company’s employees, customers, and shareholders to serious risks of breach, theft, blackmail, ransom payments, legal action, and more. What’s worse, hiring a CSM without allocating sufficient budget funds can lead the company to have a false sense of security.

The consequences of failure are also considerable for the CSM. Most cybersecurity managers don’t feel accepted, or even respected, by the companies they work for. If a cyberattack happens, the CSM is the one who gets blamed. If the CSM is terminated, she finds herself out of a job, and the company must spend time and resources to recruit and hire a new CSM to come in and fix the existing problems.

What Can a CSM Do to Succeed?

Cybersecurity managers first need to understand what they will be up against. They need to go into a new job fully understanding the challenges we’ve talked about in this chapter, including lack of access to decision-makers, limited or no budget, unclear expectations, a nonexistent cybersecurity plan and a general lack of respect for their role within the company.