The Troublemaker CISO: Defending Against Insider ThreatSecurity Director Ian Keller on the Need for a 'People Leader'
It is common knowledge that leaders make or break the team. Many people profess to be true leaders - are they?
See Also: 2023 Threat Horizons Report
You may ask how this is relevant to my usual rants about information security, and the answer is simple: Leadership has a lot to do with the dreaded insider threat, or the privileged insider.
The Privileged Insider
A privileged insider is someone with the keys to the kingdom, and there are many. They can do irreparable harm to the business by virtue of the level of trust assigned to them or the roles they fill. The industry you are in will define who they are. I'll let your mind run wild thinking about this while I focus on the tech teams. You see, anyone who has administrator or equivalent access can shut down your operations, exfiltrate your data or open the floodgates and allow any and every attacker to get in.
Why would a staff member do this? When you appointed them, you looked for the best fit in terms of skill, experience and competencies, and you looked at how this person would fit into the team. Your human resources staff did a background check that included financials, criminal record, and most likely social media, and everything came back clear. Yet, this person went feral and caused you and your business harm.
If people are treated like slaves, they will revolt.
The most likely reason for this is toxic leadership. In recent weeks, I have seen a flood of social media activity highlighting this issue. If people are treated like slaves, they will revolt.
From the employee's perspective, when someone accepts an offer of employment, they look at everything associated with the opportunity: "Can I do this job and exceed on expectation? Does it excite me? Is the salary in line with expectation? Is there career growth? And of course, can I work with the leader and leadership?" Depending on their personal situation, the answer to this last question is most likely the biggest factor in whether someone accepts a position.
The 'People Leader'
Now we get to the heart the issue. Forbes defines leadership as "a process of social influence, which maximizes the efforts of others, towards the achievement of a goal." That definition emphasizes the business.
Forbes also defines a people leader - someone who focuses on the team and "spends time building relationships with colleagues, coaching employees to reach their full potential and aligning teammates toward a common goal." Given this definition, I would gravitate toward people leaders for the simple reason that they care about me. They would ensure that no staff member joins as disgruntled, because the environment must be created in order for that to happen. Leadership plays a massive part in changing the behavior of a person.
The way you treat people is directly reflected in how they treat you and your business.
Look at how staff were treated during the latest round of tech layoffs. If you got locked out with no warning, consultation or discussion - if you were just dropped like garbage and disposed of, would you leave with good feelings, or feel rather feral?
This is what leads people to turn on you and your business - and do whatever they do to get revenge for slaving for you and proving their worth and then unceremoniously being kicked to the curb. The way you treat people is directly reflected in how they treat you and your business.
If your biggest risk is the insider threat, I would suggest that you seriously look at whether you are a people leader. Find out what your people really think and feel - and if they feel disgruntled, find out why they feel that way, because they can do you harm even if they just quit.
You, the leadership, are the only defense against this particular threat.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Ian Keller, director of security at a telecom company, is an information security evangelist with over 30 years of experience. He started his career in the South African Defense Force's Combat School, where he served as an instructor in Army intelligence. Keller took this background into the corporate world and was instrumental in the creation of the global information security function for one of the country's Big Five banks. He subsequently was appointed as chief information security officer for one of South Africa's leading corporate and merchant banks.