3 Qualities of Effective IT Security Managers

Written by

The role of the IT security manager is getting ever-more complex. Increasingly relied on by the business to safeguard valuable assets while enabling digital innovation and flexible working practices, it's fair to say that information security is now more mission-critical than ever. This puts pressure on the IT personnel responsible for security to excel in the spotlight. So how can IT security managers rise to the new challenges they face? I've summarized three of most important qualities here:

1.      Regular, Credible and Contextualized Communication

Countless surveys have concluded that CEOs, senior execs, PRs, marketers etc. just don’t get cybersecurity. The communication barrier between IT security and the rest of the company is high. IT security managers who can bridge this barrier by challenging incorrect perceptions will be hugely successful.

Our colleagues get annoyed at having to remember complex passwords, but do they appreciate why complex passwords are important? While the wider business thinks controls implemented by IT security are too onerous, IT security managers believe their company’s security controls don’t provide enough protection.

Effectively communicating the purpose of policies and procedures to a colleague, cognizant of their specific motivations and pressures and without sounding patronizing, is the mark of a great (and rare) IT security manager.

2.      Staying Relevant

In a rapidly changing world – this quality arguably applies to us all.

However, in IT security, the impact of not staying relevant is a lot more serious. This year there have already been 19 vulnerabilities in OpenSSL alone. They range from low-severity issues to high-risk vulnerabilities, like Venom, that could allow an attacker to use arbitrary code on the target machine and take complete control.

In IT security, new vulnerabilities are being discovered and released every day, and effective managers diligently check these against their company’s operations – quantifying the risks that their company is willing to accept, or must remediate. An increasing number of IT security managers are also logging into the UK Government’s Cyber Security Information Sharing Partnership (CiSP) regularly to ensure they’re as up to date as possible on cyber threat information.

Some even go one step further to keep their digital ear to the ground by continuously monitoring millions of data sources and cyber-threat intelligence feeds across the visible, dark and deep internet.

3.      Objective, Data-Driven and Accountable Decisiveness

The best IT security managers ensure that objective vulnerability, threat, risk and compliance assessments support well-reasoned decisions, as opposed to making personal assessments based on behavioral risk and/or rigidly adhering to a specific ‘tick box’ standard. They never make bad decisions that can so often lead to an event, such as sharing passwords or using an unassessed service provider.

The most effective managers take this one step further by ensuring they are able to shape strategic decisions with cybersecurity data, ensuring they’re aware of the risks, but also able to actively manage them in a mature manner.

In the midst of a cyber-incident, IT security managers are also under pressure to make difficult decisions when the rest of the business is watching (and in the very worst cases – third parties, regulators and customers). The consequences of ill-informed, rushed incident response decisions are disastrous.

There are a number of open source post-incident customer announcements that demonstrate exactly how much reputational damage and unintended bad feeling a rushed, unplanned communication can cause. If IT security is responsible for a mistake in the midst of an incident (we’re all human), the best managers are not distracted from their main objective of damage control and keeping employees pulling together to find a solution, rather than blaming each other and falling victim to stress and pressure.

What’s hot on Infosecurity Magazine?