Why and how we should apply more often management theories to cyber security
Christmas time is usually a time to lean back, reflect on the year, and pick up some good books to read again. This year, I was offered by a friend the book “No Rules” by Reed Hastings and Erin Meyer about the Netflix culture. And while reading I came across an observation that I believe worth sharing.
While reading the book, one quote besides a lot of other good content really stuck with me.
“Lead by Context and not by Control”
No Rules Rules, Reed Hastings and Erin Meyer
You are probably already asking: what is the relationship with cybersecurity exactly?
I began to wonder if we actually apply this methodology in cybersecurity and if not, why we would not use it. After all, there are lots of very insightful management theories out there that have a long proven track record. Looking back into my times as an analyst, junior consultant, and later on as a manager at the big 4, I could barely recall any usage of these methodologies in cybersecurity and even less in any cybersecurity trainings.
I believe cybersecurity can benefit a lot from management principles. After all, cybersecurity starts with individual behavior and that is precisely the point of management.
That quote “Lead by Context and not by Control” should definitively be part of any cybersecurity training about cyber governance and the design of cyber policies and awareness campaigns. A quote from the Netflix culture deck details that “high-performance people will do better work if they understand the context”. In cybersecurity, no common cyber security policy will be followed and reach their protection goal if the employee does not understand the “why” and the impact they make through the careful use of this policy.
Therefore, publishing a policy is by itself just a control, designed for compliance. The real increase in protection will be achieved by giving context, explanation, and understanding to the audience. The adoption of cyber governance and standard will increase drastically when the measures are understood by the teams.
Though it might sound obvious, it is still too little put into practice in big organizations.
Another very interesting management theory for cybersecurity strategy design is explained in our PoV OT Security Strategy: the adoption curve. Maybe we can even extend this one a bit? I believe many other insightful principles can be inherited by cybersecurity management.
BxC Take Away
Let´s not try to dissociate management from cyber but learn what we reused to improve management practices in cybersecurity.
Cybersecurity starts with people and that is precisely what management is about. Having an inclusive management approach to Cyber will bring lots of benefits to the entire organization.