Being as a cyber security or information security leader in an enterprise organization, especially banking and financial industry, you are going to face various challenges in every single step of your journey, especially in the pandemic circumstance. You should have a very comprehensive strategy dealing with this sophisticated work. It requires a strong knowledge and experiences both technical skill which is functional skill and management that is the cross-functional skill. I would share these few tips, and I believe it would be work well for a new leader that was starting from a technical experience.
When you are on boarding the new enterprise organization, you have a very short time to learn and observe as much as possible about the company culture, environment, people, strategy, mission, vision, etc. The most important and it is a key successful for cyber security leader, you need to identify the key influencer or sometime known as key drivers for adding more value on your job. The key drivers are including Law, Regulatory, Standard Compliant, Parent Company (if you are a subsidiary), the Board of Director or the executive management in your company; these are the vital to support your security project proposal or implementation are going effectively and efficiency.
The second important job that you need to accomplish with a very strong communication skill and business management principle for convincing the top management or the committee to buying-in your initiative idea, proposal or project. It is absolutely requiring you to have the foundation of business management concept at least; it will help you a lot for understanding the perspective from management, so that you can explain them clearly using non-technical language. The alternative way that would be work perfectly, you need to seek for prior support from the leader at technical site such as CIO, CTO, CDO, etc., so that they can help at sometimes you sell your ideas to the top management.
Without the proper plan, it might overspend the resource including time, people and cost. At this point, I would discuss about the plan or the roadmap that we need to prepare before implementation.The successful planning requires strong experiences, knowledge and support from all relevant stakeholders in your organization. Avery critical successful factor of your plan is seeking supports from your directed line. The following tips are working perfectly and practicable in my current role as the Head of Information Security at Amret which is the top 5 financial service providers in Cambodia.
First, you should conduct security risks assessment and gaps analysis that could benchmarking from appropriate security standard and best practice such as ISO, PCI-DSS, NIST, CoBIT, etc. While assessing the risks, you must factor-in the key concern from business perspective and security perspective that may including financial impact, reputational damage, regulatory fine, services disruption and customer satisfaction.
Second, you should have the approve statement from top management as well as from the board of director; it is the policy that covering key risks that you have just assessed previously.
Next, you should consider on designing and organizing your team structure and ensuring that the roles and responsibilities of your people would be uniquely defined in their jobs description that will perform to protect and prevent those key risks.
"Be a business enabler and risks balancing while integrating the security controls and processes at your company"
The last one that is your core function and it is a non-stop job. At this stage, you should define the short-term and long-term roadmap that is going to describe the detail action plan related to technology investment projects implementation as well as to establishing the process for support the policy statements and supporting the security systems/tools usage. The successful factors of this plan, you should prioritize your projects to aligned with the business strategy and the investment plan. It also requires a very strong knowledges and experiences related to technology, information security, cyber security and project management; it is your core functional skill that will be apply.
Execution and Managing
The same as project management and people management, you need to ensure that your work will be successfully achieved following the resource you planed and ensure that your people are met the highest productivities principle. You can apply your own style in managing people, however you should to follow the standard process such as PRINCE2, PMBOK, ISO, etc. to manage the projects. The key successful concepts you should have, and they are useful for you to executing and managing your work very well:
- Goals and Objectives of your project and your specific job, it should be clearly defined to align with your mission and vision.
- Communication to your people about your goals and objectives to ensure that they are clearly understand their functions and understand how to deliver as per expected outcome effectively.
- Leadership and Inspiration is important that will be applying every situation at work. The leader must be strong and flexible in managing change during the project. They need to be good at story telling that is very important to inspiring their people to do the job from their heart.
- Reward and Celebration once the project or work has delivered successfully, you should create such an event to celebrate their contributions and giving your gratitude to all your people and relevant stakeholders. Make it even smaller, but it very worthful.
Continual improving your skill as well as your work to mature your experience and professionalism. Asking people around you to be your trusted mirror in order to see your improvement point. This can be done through anonymous feedback or you can ask your directed line for help. You may not change everything following the feedback, you just need to change whatever you thought that is good for you.
Setting up your career goal and your education plan then trying to accomplish them. You can learn anything, anywhere throughout the book and the internet. You should consider to extend both IT technical skill and leadership skill, they are very critical for developing your career ladder.