Training Our Management

How do we train our management to deal with cyber security issues? There are lots of very good training programs out there for engineers in the IT field to master cyber security. There are really good seminars for IT management on IT security. There are even a few training programs for the general employee on how to deal with their respective cyber security issues. However, there is no real formalized training process for upper management.

Executives go through years of schooling, and then many years of learning the craft of managing people in the field. But nowhere along the way do you see any training to speak of either in the University or in the field. No formalized training program that teaches the executive to deal with one of the most important issues in his entire company.

How Can They Know?

Think for a minute about how important this problem is and how lax the response of the market has been. I remember working for a large Fortune 100 company several years ago and seeing good executives there that had mastered their field and become very competent in the daily operational duties of their company. However after the tech bubble burst and there were layoffs and infighting. Many managers, to put it mildly, freaked out, because they had never been prepared for the crash.

They had lived in a world of soaring stock prices, where your company’s and your own personal value went up every week. They knew how to be successful in a rising tide, but when things got down only a few could survive with any real semblance of maturity and professionalism. Why? One reason was because no one had prepared them for this eventual day.

How Do You Train For Crisis?

No one ever thought to train our management, to be ready for the problems that would arise from a severe downturn in the market. People were under the impression that the market was somehow different now and it would never be its normal up and down anymore, nothing could be further from the truth.

In cyber security, we are reaching this same kind of tenuous exposure to risk. And I believe with just as severe consequences. It may not be industry wide but it certainly is a possibility from company to company. Management needs to be educated on these issues on an ongoing basis. Every executive should know what a “threat surface” is, and how to respond to a “ransomware attack” before it happens. Managers should be up to date on what their peers are doing to mitigate cyber security issues. They should know at all times what the threat rating is for all members of their own supply chain so they can properly navigate these critical relationships.

Executives should be ordering and reading threat assessments, or security audits at least twice per year and more ideally quarterly. They should be reviewing these different issues mentioned above with their trusted security advisor and/or their internal IT and security people or CISO.

This should all be an ongoing process. Every morning the President of the United States receives a security briefing on his desk for his review. Of course, the security issues of the president are much more immediate and persistent. But the lesson is there. How often are you getting briefed on your security posture to ensure you are in front of these issues?

I also believe that executive management should be meeting either formally or informally via their own social structures with their respective peers to trade tips and knowledge with each other on best practices for cyber security issues from a leadership perspective. It could be as simple as hosting a roundtable at your respective trade convention. You could also bring in guest speakers to talk to your professional groups that are versed in cyber security from a management perspective. Your leadership in this crucial area would pay huge dividends just in what you will learn for yourself along the way. Training our management in advance will prepare us for that eventual day when we do have to deal with this crisis because it will happen.

Leave a Reply

Your email address will not be published.