Cybersecurity Implementation Versus Organizational Layers of Leadership

Written by

In view of the rapid evolution of technologies and tools that comes under the very broad term “digital transformation,” in my previous article we attempted to shed more light over the crucial influence of organizations’ leadership on the success (or unsuccessful) implementation of cybersecurity programs, and argued why a transformational leadership style would best fit this purpose if organizations aspire to be secure.

However, let’s assume that an organization has a transformational style leader (CEO) who, on one hand is primarily concerned with long-term objectives, continually evolving business-technology disruptions, cyber risks paradigm and threats. On the other hand, they empower the employees to tackle such risks. How can the leader ensure the successful implementation of his/her vision and have the employees “buy-in” such vision with regards to cybersecurity versus technology adoption?

How can the CEO make sure that other leaders in the firm, whether divisional or departmental, have their strategies smoothly aligned with his/her vision and that such is effectively conveyed to employees at all levels?

Nowadays, with the increasing public and legal scrutiny of privacy and data protection measures, the success and sustainable growth of any organization, especially digital and interconnected ones, is directly related to its cybersecurity measures. In this respect, the leadership always have a direct influence on the implementation of such measures and the upper hand in directing budgets and resources to serve this critical purpose.

With a constantly changing cyber threat landscape, the CEO needs to have up to date reports with essential information, proper metrics, clear communications and transparently communicate the risks at different levels of the organization to other mid-level leaders. Despite the latter, we can unsurprisingly see many organizations don’t have this basic capability where the leader does not know what is going on except for the board meetings, or when a data breach happens.

Thus, it’s crucial that the CEO always takes a proactive rather than a reactive approach when it comes to “cyber-securing” their organization. That said, the best leaders tackling their organization’s cybersecurity are those who understand technology implications, associated risks, have exceptional communication skills, and can talk at all levels with technical and non-technical alike.

While we can indicate that organizations aiming to develop or enhance the cybersecurity posture should be best led by a transformational leader who empowers the teams in order to deploy their expertise, along with giving them the right tools and resources needed for protecting the firm, there are other departmental leaders in the middle of the organization who micromanage employees.

These mid-level leaders may not equally empower the employees - and that’s a problem. However, on the other side, mid-level leaders may empower their IT security employees, but underperformance takes place, which is also a problem.

Accordingly, we can argue that a CEO adopting a combination of transformation-transactional leadership styles and qualities can be equally effective in tackling such managerial issue, where he/she have to be in the middle line between an empowering transformational leader versus a micromanaging transactional leader.

The issue for the CEO is not only ensuring that his/her vision is clearly communicated to other leaders in the organization, but to also ensure a two-way feedback process and an accurate implementation metrics. This will greatly help the CEO in:

  • Realizing what the evolving cyber risks are 
  • What cyber investments needs to be made to protect the organization
  • Why such investments needs to made 
  • How much the risk percent would go down in correlation with such investment?

By doing so, this will not only support the CEO in being fully and proactively engaged in the organization’s cybersecurity strategy setting, but also explicitly explain to the board how they will measure the cyber risk and what the organization is strategically going to do about it.

The challenge is not about to having all security solutions out there, but the desire for proper understanding of the continually evolving risks, and therefore a transformational perspective is needed to understand such risks and tolerate ambiguities, rather than transactional who would just executes based on primarily existing data and historical performance pattern.

For successfully doing so, still we argue for the critical need of having a transformational inspired CEO. However, while the transformational CEO should empower and have confidence in his/her CISO and IT security team that they will build an effective and an efficient cybersecurity program, the CEO also must closely scrutinize the implementation. In this respect and to support the cybersecurity strategy building and execution, we can strongly argue for an organizational leadership layers where we would have a transformational-leadership style CEO in the first line who is always on top of technology-cyber related issues, while the second leadership line should be a transactional styled leader who ensures the effective execution, daily cyber hygiene implementation and operation.

It takes both leadership qualities to make an organization run where a transformational CEO sets the tone, while his/her transactional second line of leadership executes and ensure a continuous circular feedback process. A transformational leader would have the vision and strategy but actually need the executing (transactional) team to translate such strategy into a realized action.


Mohamed ELDoh, MBA. is the Director of International Business Development at United Investment- Egypt & a Business Doctoral student at Grenoble Ecole de Management, France.


What’s hot on Infosecurity Magazine?