Most companies don’t have a security problem: They have a leadership problem - SmartBrief

All Articles Technology Management Most companies don’t have a security problem: They have a leadership problem

Most companies don’t have a security problem: They have a leadership problem

How problematic IT leadership can lead to “quiet cybersecurity quitting."

5 min read


cybersecurity leadership can be slippery

James Stanger

I was talking recently with a couple of friends who now work at Google and Amazon Web Services about how they have helped their previous organizations stem a critical problem in their respective cultures. Each found that their tech teams had a tendency to self-cancel cybersecurity best practices at critical steps of a particular project. This is a practice that I call, “quiet cybersecurity quitting,” the result of problematic process maturity. It can easily overwhelm the most talented technicians, the coolest software and the best of intentions if left unaddressed. Why does this happen? The reasons are many, but they all stem from problematic IT leadership.

Quiet cyber quitting

Quiet cyber quitting happens because, in many organizational cultures, cybersecurity is perceived to slow processes down. As leaders, our job is to make things happen. Yet, it’s easy for us to fall into a magic cybersecurity worldview where someone feels that tech can be adopted rapidly, and where implementation steps can be skipped with impunity. Therefore, that person has little patience for understanding how to work tech into their business plans. This is a primary culprit for the pervasive lack of quality communication that occurs between tech departments and upper management. The resulting siloed thinking causes serious problems. This leads to the perception – or fact – that IT departments are time and resource-constrained, and struggle to make things happen.

Organizations have gotten away with these attitudes and behaviors for years; that’s not the case any longer. Moving forward, wise, strategic use of tech will mark the difference between organizations that succeed, and those that struggle. Until then, lack of executive communication and quiet quitting will create a toxic IT environment. IT departments chronically rack up technical debt and demonstrate a general tolerance for shadow IT. These behaviors are largely invisible to the institutions that tolerate them. Here’s a look at the primary problems and key solutions when it comes to the state of cybersecurity in 2024.

Technical debt happens whenever a team or team member skips critical steps during implementation. A friend of mine at Netflix once told me that he sees a lot of “make do and mend” going on in IT departments during projects. Another friend once told me that IT teams and developers employ “more than their fair share of magic.” When I pressed her, she said, “We skip steps to get stuff done – it’s that simple.” It turns out that any implementer has to make compromises during the development lifecycle. That’s not necessarily fatal in and of itself; but, failing to iterate your way out of those compromises often is.

Shadow IT occurs when various departments or individuals in an organization source a tech solution independent of the IT department. This is an increasingly pervasive problem. One of the many problems of shadow IT is that it introduces a technical stack into the organization that is not properly included in cybersecurity efforts.

Resolving IT leadership issues

Now that today’s organizations rely on tech more than ever, we can’t afford to tolerate these problems. Our CompTIA IT Industry Outlook 2024 report has outlined many of these problems, as well as the solutions. Here’s what the best organizations do to move forward with confidence and resolve toxic IT practices. It starts by addressing several root causes. And, no, none of these solutions involves using ChatGPT.

First, the best leaders realize that if they don’t address the persistent lack of quality communication, they will never be able to deal with their corporate cultures as rational entities. We know that good leaders understand that they need to address root causes. Otherwise, they know that they’ll unwittingly end up creating an organizational culture that is poised to frustrate the best workers, the best tech and the best intentions.

We can’t afford to be vague in our intentions or settle for mere technical “poking at the bear” activities. Here are some quick tips to consider:

  1. Manage leadership communication silos: Easier said than done, but our collective cybersecurity problems begin with a lack of quality communication at the leadership level. Proper implementation of governance, risk management and compliance can help. Focus on a strategic approach to your IT departments, rather than seeing them as a mere tactical resource. This is why “durable skills” have become so critical to leaders and IT workers.
  2. Get beyond the “secure by design” delusion: Focus on iteration, instead. It is a critical step. While “cybersecurity from the ground up” is a worthy idea, it is rarely successful. Focus on a step-by-step approach. Otherwise, you’ll run the risk of more cybersecurity incidents and tech worker burnout.
  3. Adopt long-term thinking: Most tech teams aren’t as good at iteration as you’d think. Sure, the “try, try and try again” mantra is always relevant. But, without proper leadership and executive patience, the concept of “iteration” easily devolves into activities that merely kick the can down the road. That’s why many organizations excel at creating problematic environments. Adopt a project-based, long-term approach to solving problems.
  4. Become an IT whisperer: Our cybersecurity problems may not begin with the IT department, but they are certainly perpetrated by that department if you don’t have your leadership ducks in a row. This means you need to learn some tech as a leader.
  5. Make a map: Tie business needs to tech abilities. Then, make this map available to all stakeholders – it’s all part of your job to communicate.
  6. Create employee “skillability”: Get your workers trained in both leadership and technical skills.

To get out of this leadership problem and succeed, you’ve got to get intentional with your security. Start with some of the leadership skills I’ve mentioned. Then, focus on accountability. This includes communication, iteration and education. Inevitably, you’re going to rely on your organization’s tech function more than ever before. Better communication will result in better outcomes, better leadership and better cybersecurity.