do not necessarily reflect the views of UKDiss.com.
Exploring the relationship between Authentic Leadership of Information Security/Cyber Security Professionals through Job Satisfaction of Information/Cyber Security Program Outcomes
The purpose of the study is to identity the relationship between technology professionals’ perception of authentic leadership of their leader, as measured by the AuthenticLeadership Questionnaire (ALQ), Information Security (Data Breaches) posture of responding organizations, as measured by the Security Effective Score (SES). This study contains two research areas. For research area one, a regression analysis will be conducted to determine if a predictable relationship exists between the independent and dependent variable, while controlling for gender, age, certifications, (related to the field of Information Security i.e. CISSP, GIAC, GCIH, etc.) tenure, and education level. For research area two, a regression analysis will be conducted to determine if a predictable relationship exists between Information Security Data Breaches and Authentic Leadership (Self-awareness, Rational Transparency, Internalized Moral Perspective, and Balanced Processing) when controlling for gender, age, certifications, (related to the field of Information Security i.e. CISSP, GIAC, GCIH, etc.) tenure, and educational level.
Table of Contents DEDICATION………………………………………………………………………………..ii ACKNOWLEDGEMENTS………………………………………………………………….iii ABSTRACT……………………………………………………………………………………v CHAPTER 1 INTRODUCTION………………………………………………………………1
Exploring the relationship between Authentic Leadership of ISO’s and CISO’s through Data Breaches of Security Outcomes
Information Security Breaches have been a long-term problem, especially in recent years. The last five years, have been specifically significant due to the massive media exposure. Just take the recent Target Data Breach for example. An e-week article describes what was a lack of human control and not a technology problem, which lead to the massive amount of stolen credit card numbers. “The Bloomberg Businessweek story alleges that Target had systems in place from security vendor FireEye that did, in fact, alert the retailer to an attack. The problem is that Target didn’t react to the attack warning. “Had the company’s security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all,” (Bloomberg, 2015) The truth is, we still don’t know all the facts about the attack against Target, and it might be months–or even years–until we do. It is reassuring in many respects that the failure is likely not a failure of technology or new previously unknown security threat. The threat and the failure in the Target case is likely human. Apparently, the humans didn’t respond to what the technology was warning about. (Kerner, S.M. 2014).
A very good example of a hacking incident at higher education institution happened back on March 27, 2014 at the University of Wisconsin-Parkside in Kenosha, Wisconsin. Students were notified by officials from The University of Wisconsin-Parkside of a data breach that occurred to their system by hackers that installed malware on one university server. The information at risk included names, addresses, telephone numbers, email addresses and Social Security numbers. The breach affected students who were either admitted or enrolled at the university since the fall of 2010. The server was shut down and the hacking was reported to local authorities. After launching an investigation, it appears the malware was searching for credit card information and they showed no evidence that any Social Security numbers were compromised. The university has set up a website with information for those who may have been affected. The total number of records that were compromised was about 15,000. This might seem like a lot, but this would be considered a small incident. Regardless, Information Security breaches are a serious threat, and it is up to management from the ISO’s and CISO’s to man the ship and steer their teams in the right direction.
There are minimal empirical studies that have sought to identify why these breaches occur. There have been plenty of speculations on the reasons behind these kinds of data breaches, but the number of peer-reviewed journals that depict these speculations are scarce. Basically, it comes down to this, the technology in place is a lock on the door to keep attackers out and prevent breaches like this one, but it is obvious that the lack of leadership in organizations such as Target have diminished how people lock the door in the first place. The problem is not the lock itself (technology) but the processes and the lack of leadership in set organizations, will lead to even more attacks like these in the future. That is why, there is a dire need of better leadership that can mitigate, information security breaches in all types of organizations, small, large, public, or in the private sector. There is a widespread perception that information security breaches have reached a state of crisis. An antitrust magazine article discusses on what we should do now and what needs to be done down the road.
“The existence of valid and reliable measure between leadership studies and lowering these breaches has yet to come to fruition. Although it is impossible to predict whether and how the legal and regulatory landscape could change in response to the recent breaches, exposure to risk because of data breaches is higher than ever. Companies should make sure they have comprehensive data security and incident response plans in place that account for the patchwork of state and federal laws governing data practices. Such policies should consider the type of data stored, the mechanisms for storage, and the duration of storage, among other factors. There is no single “correct” data security plan as companies should adapt their policies and practices to the practical realities presented by their business model as well as the unique legal obligations affecting their industry and the type of customer information they collect and store. Nonetheless, at a minimum, we recommend that companies storing personal information consider the following key principles when devising or re-assessing their data security practices.” (ROSENFELD, D. & McDOWELL, D. 2014)
As these information security breaches, such as the attacks on Target and Sony, continue to create havoc and stir a media a frenzy; it is imperative that a cold hard look is taken inside the leadership of the ISO or CISO’s at the helm of such corporations, and institutions.
Reaction is reactive instead of proactive. Popular leadership authors have called for a new type of genuine and values based leadership-authentic leadership (Wooley, Caza, & Levy, 2011; Avolio & Gardner, 2005; George, 2003).
Authentic Leadership and Information Security
Over the years, technology has been at the forefront of our everyday lives. Whether it is for leisure or business, technology has taken center stage with its ever-changing landscape. The wins of technology and Information sharing have been very well received by everyday people, Facebook users, Twitter, and everything else social media. This also applies to private and public industry, where technology is constantly being used and data streams are always non-stop in this fast-paced world. To understand the value and importance of information, people need to observe what information is being stored by both end-users or individual or power users-or major business and/or companies. At the very minimum, it will be very naïve for anybody to think that business or even individual people for that matter, are retaining and holding on to personal identifiable information. This information is known as PII. This information includes: Social Security Numbers, Dates of Birth, Driver License Numbers, and any other data that can be deemed sensitive in nature. Business on the other hand, have more than just sensitive and personal identifiable information to worry about, there is also the company data and/research secret data in some instances, where competitive edge is born and kept while others are destroyed and downed, with the leakage or disclosure of such information.
It is the Information Security Officer’s job or Chief Information Security Officer’s job to hold down the fort not only of the data in motion, in transit, and at rest, but be responsible and accountable for all data transmissions for that respective company and organization. Through recent years and time, through the media’s exposure, lately it seems like this has been something not a lot of companies are doing the right way, hence the importance of this study and dissertation. As more data, is stored and transmitted electronically over the wire, the cloud- (online services), or any other method; the risk is greatly increased of a hacker or even terrorist groups, political, or countries to unlawfully try to access this information when they have no authorization to do so. Therefore, I am doing this study, in today’s world we are presented with a vast number of growing challenges and problems on deciding how to best protect our data from hackers, and anybody that wants to do harm onto others trying to get to the data unlawfully and with no authority. Just to get a good idea on the impact of a data breach can have are the most recent examples from both the private and public sector.
As previously mentioned, this dissertation will be built on the following theoretical models which include the Authentic Leadership Model, which appears to be the most prevalent out of all the leadership theories and behaviors currently in use by my proposed sample which will be indicative of the overall population of Information Security Officer and/or Chief Information Security Officers. Authentic Leadership emphasizes the supervisory role and performance oriented-goals. In Information Security, it is ironic that this kind of leadership theory even exists; due to the nature of the beast. What do I mean by this? It means that in Information security, almost one hundred percent of the time no news is good news. Therefore, a leadership style that has its foundations on rewards and punishment would only naturally seem not to apply. Something needs to change in the way Information Security leaders change their leadership styles to effectively and proactively prevent and deal with data breaches in the future. Authentic leadership has a lot of potential to pave the way for change, and ultimately be the defining leadership style of current and future CISOs and ISOs. Authentic Leadership will be a game changer in regards to information security breaches. It will be take work, but presenting a change in the leadership stance in regards to Information Security Programs will drive positive change and in turn; help reduce information security breaches. Most literature suggests that projects succeed or fail by the measure of existing technologies present at those organizations. Authentic leadership is a way of conduct that upholds how leaders should be true to their personal character moderately and strive for an ideal that does not measure up to their true self. Authentic leadership refers to “a pattern of leader behavior that draws upon and promotes both positive psychological capacities and a positive ethical climate, to foster greater self-awareness, an internalized moral perspective, balanced processing of information, and relational transparency on the part of leadership working with followers.” Walumbwa, Wang, Wang, Schaubroeck, and Avolio (2010). Authentic Leadership is defined by Walumbwa, Avolio, Gardner, Wernsing and Peterson (2008). They state that: “Self-awareness refers to the extent in which a leader understands his/her own strengths and weaknesses. They are aware of their true motivations when achieving both personal and professional goals. Rational transparency involves promoting trust through disclosure. Leaders that practice rational transparency openly share information and express their true thoughts and feelings while minimizing displays of negative emotions. Internalized moral perspective refers to leader behaviors that are guided by personal moral standards rather than values that are based upon others’ standards or societal pressures. Balanced processing involves objectively analyzing all relevant information before making a decision (Schminke, 2010).”
With regards to Information Security Data Breaches, technologies include Firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), etc. It is evident that the lack of leadership needs to be looked at. When it comes to Information Security data breaches, there are usually three main parties involved: The CEO, the CIO, and the ISO/CISO. An excerpt from the Information Systems Security Journal, explains how these three leaders should work, especially the CIO and CISO; to prevent become front page news as it regards to an Information Security incident and/or breach.
“Just as the CEO must be aware of the external environment; the CIO must be able to solicit accurate information from the CISO to obtain knowledge as to the risk of doing nothing and what issues the competitors are facing. When the Veteran’s Administration lost, a laptop containing personal information on 26 million individuals, and subsequently required that all their laptops be encrypted, many organizations took notice. While security programs should not be run by the “incident of the week,” due to the widespread media coverage, such major incidents put the CIO in the position of having to answer the question “could this happen to us?” Savvy CIO’s will not want to accept the risk of this type of situation and will require his IT management and Systems Security develop a proposal with several different cost alternatives that would mitigate the problem.” (Fitzgerald, T. 2007)
The literature has largely ignored the impact the Information Security Officer (ISO)/CISO (Chief Information Security Officer, and his or her leadership style and competence on preventing mitigation Information Security Breaches.
“Security has become a broad discipline with the CISO responsible for facilitating the implementation and ongoing compliance with the multiple domains of the common body of knowledge, such as risk management, operations security, physical security, business continuity, laws and ethics, network security, and so forth. The person performing the role of the CISO may or may not have that title and may be named Security Director, Security Manager, or Information Security Officer. The exact title is not as important as the appointed responsibility for protecting the organizational assets. Obviously, detailed expertise for these domains resides in many different individuals. The CISO is expected to have broad security knowledge and why each of these areas are important to the business. The ability to work up and down the organization, translating technical jargon into a language appropriate for the CEO, CIO, business executives, middle management, end users, and external parties is an essential skill. Leadership involves the influencing, written and oral communication skills, and building relationships with business partners for the bigger picture (of supporting the vision and mission of the business)” (Fitzgerald, T. 2007)
Studies linking Leadership of any kind to Information Security data breaches are a rarity. Thus, the most important it is to change this and start linking these two very important factors and correlate them together. This can be achieved by linking organizational commitment and authentic leadership theory, to information security data breaches. This is what the study will intend to do, to better mitigate and stop these breaches from ever happening. The key is the people and the key to the people, is the leadership which those people fall under. Leadership can do just as good as job or even a better job, than just plain technological mitigating controls.
Purpose of the Study
The purpose of this study is to show that authentic leadership is related to Information Security data breaches The study will identify the relationship between technology professional’s perception of authentic leadership of their leaders, as measured by the Authentic Leadership Questionnaire (ALQ) and Information Security (Data Breaches) posture of responding organizations, as measured by the Security Effective Score (SES) and Job Satisfaction as measured by the audit (Job Descriptor Index) and the and the a JIG (Job in General).
Exploring the relationship between Authentic Leadership of Information Security/Cyber Security Professionals through Job Satisfaction of Information/Cyber Security Program Outcomes.
AuthenticLeadership:A dominating leadership behavior that exists within four dimensions:
1. Self–awarenessrefers to the extent in which a leader understands his/her own strengths and weaknesses.
2. Rational transparency involves promoting trust through disclosure. Leaders that practice rational transparency openly share information while minimizing displays of negative emotions.
3. Internalized moral perspective refers to leader behaviors that are guided by personal moral standards rather than values that are based upon others’ standards or societal pressures.
4. Balanced-processing involves objectively analyzing all relevant information before deciding (Schminke, 2010).
Information Security Data Breach: “Webster’s defines “to breach” as literally “the act of breaking”, as in the infraction or violation of a law, obligation, tie or standard. A data breach is an incident during which an encrypted or unencrypted database is broken or hacked, and the valuable information stored within is compromised. The term “data” in this case most often describes sensitive, protected or confidential data such as customer records that are protected by law or required by Federal regulation to be protected. Data breaches may involve personal health information, personally identifiable information, trade secrets or intellectual property. Most often the term data breach is applied to describe the theft of data – a malevolent action by unauthorized parties such as hackers, fraudsters or spies. The data need only be viewed for a breach to have occurred, but if it is copied and transmitted the potential consequences are ominous. The loss of information by data breach is the nefarious first step in online crimes such as identity theft, credit card fraud, and banking fraud. In these cases, crooks target data, such as credit card numbers, PINs, bank account numbers, and social security numbers. However, the term can also describe the release of sensitive data to an “untrusted environment” by accident, through the fault of an authorized party. Past incidents have resulted from the careless handling of laptop computers or CD-ROMs. Although malicious intent is not present in such cases, the potential consequences of a data breach are no less dire. In most cases where personally identifiable information is lost, authorities demand that companies or organizations notify everyone whose information may have been compromised, even if they are little risk of malicious intent. In the information security industry, there exist numerous guidelines and regulatory compliance mandates governing the protection of confidential data from data breaches from the Payment Card Industry Data Security Standard (PCI-DSS) to the Health Insurance Portability and Accountability Act (HIPAA). Today there exists a global organized criminal network of “black hat” hackers devoted solely to the stealing of confidential data. The spoils from their illegal activities are then sold on a thriving underground black market, where criminals trade in stolen information that can change hands numerous times. Companies that suffer a data breach lose more than just confidential information. Their reputation, productivity, and profitability can all be negatively impacted in the aftermath of even a single incident. If a data breach results in actual identity theft or other financial loss, the offending organization may face fines, civil or criminal prosecution.” (https://www.veracode.com/blog/2012/03/what-is-a-data-breach)
Chief Information Security Officer (CISO)/Information Security Officer (ISO): “A Chief Information Security Officer (CISO/ISO) controls information security issues in an organization and is responsible for securing anything related to digital information. The CISO and Chief Security Officer (CSO) roles may be interchangeable, but CISOs may also handle a company’s physical security. A CISO maintains the security of an organization’s information technology (IT) systems. The CISO/ISO must understand how to protect these systems with special hardware, software and secure business processes. Not only do CISOs/ISOs secure computer systems, but they also create, implement and communicate the organization’s digital information security policies and procedures. In the event of a confidentiality breach, the CISO/ISO must know how to handle an emergency with an established business continuity plan (BCP). A CISO/ISO usually reports to the Chief Information Officer (CIO), or other chief-level executive, and helps guide a company with a combined knowledge of business and technology. To increase employability, a CISO/ISO or prospective CISO/ISO can obtain an information security certification, such as the Certified Information Systems Security Professional (CISSP). CISSP is administered by the International Information Systems Security Certification Consortium (ISC²®).” (http://www.techopedia.com/definition/24136/chief-information-security-officer–ciso)
How can Authentic Leadership be looked at through Job Satisfaction of Cyber Security Program Outcomes
Authentic leadership can be seen through the eyes of professionals working in the cyber security field, based on their perception on how mature or in most cases immature cybersecurity program. Many cyber security professionals need to point out and call out business management shortfalls. Authentic leadership is composed of four main and distinct components. In this industry of cyber security in the year 2017, being an authentic leader is not easy but there is a new resounded need to do the right thing. Living in a world of constant cyber-attacks, constant media attention to the loss of data and irrefutable reputational damage to companies such as Target, Sony, Home Depot to name a few. Lack of acceptance of the reality of an existential threat. Authentic leaders will not as questions such as, why would the bad guys want to attack us? Or breaches and attacks is Its problem. Business leadership failures in IT operations such as extended system outages in Business Continuity plans (BCP) and exceeding recovery time and point objectives (RTO and RPO). Lack of leadership leads to inadequate funding of an effective and efficient cyber security program. Overall, living in a world of morally and immorally corrupt actors and state sponsored attackers, authentic leadership is needed to overcome an immature, inefficient, and ineffective cyber security program.
Authentic leadership self-awareness is essential to reaching an effective cyber security program and keeping it running strong always. Knowing the business is the most important aspect of cyber security. You cannot protect and defend what you cannot see, therefore having authentic leaders that known the organization’s strengths, limitations, and values is paramount as the foundation of a cyber security program that will maximize its efforts to keep customer data safe and avoid reputational damage that can severely impact an organization’s entire operations. Authentic relational transparency will combat the belief that the cyber problem is real but it will never target or ever happen to that respective leader’s organization. An Authentic leader that owns information security and/or cyber security must be honest and straightforward with the board or with his superiors whomever they may be, depending on that organizations structure. An authentic leader will not sugarcoat the situation, especially if it’s a dire and grim one. Authentic leadership in this world of cybersecurity demands a certain backbone and special character to face decision makers in the eyes letting them know their data is now in the possession of hackers in Russia ready to wage a cyber war onto set organization. Authentic leaders as stewards of the data of all people serving the organization have an obligation and a duty to be a genuine person, not playing games and not having hidden agendas. Knowing where you stand is paramount in being an authentic leader, a Chief Information Security Office or Information Security Officer is one of those roles where this quality should always in play.
Balanced Processing and Fair-Mindedness will help recognize that their business and organization operations and if those operations operate in a hostile environment and take preventive and proactive steps to avoid any potential cyber-attack that could breach their perimeter defenses and wreak havoc across the enterprise network. Authentic leaders that utilize balanced processing will always accept the possibility of a cyber-attack and make the necessary preparations to help thwart an attack or at least defend it to a level enough that does not bring the network and computer systems to their knees.
Authentic leaders are known to always do the right thing. A component that is one of the most important in the realm of cyber security management and a pillar of culture of cyber security leadership is that of internalized moral perspective. Cyber security leaders such as ISO and CISOs should always have a resilient ethical core. He or she should know what the right thing to do and is driven by concerns of fairness and sound ethical principles and practices. The way an authentic leader in the realm of cyber defense attests to a great internalized moral perspective is to always be prepared to prevent, detect, and recover from criminal, political, and state-sponsored cyber-attacks. Achievement of that level of security will not happen by itself—self generated and unsystematically. It requires people of good intent to take both positive and
punitive measures to strengthen a security culture to a desired level, the level that management intends it to be or should be in the opinion of organizational leadership. For that reason, this dissertation is focused on the development of an authentic leader in charge of cyber and information security and how the people supporting the program see and reach to the leadership defending them from cyber-attacks. Yes, a culture of security always exists, but an intentionally strong, effective and resilient security authentic leadership culture requires work, to build, maintain, and sustain it always. An enterprise that distinguishes that it does not operate with an effective culture of security, but that wishes to create one, must establish a universal viewpoint across the enterprise about safeguards of information. It must resolve all the opposing impulses within the enterprise that hinder the growth of security. A
culture cannot be achieved quickly, as may the intricacies of security. There is no appliance to install or software to implement. Authentic leadership involves the formation of a mentality among the people who make up the enterprise and among those with whom it comes in contact—vendors, customers, other stakeholders and any outside source such regulatory agencies and bodies. That mindset, the outlook and attitudes that drive behavior, is the substance of a culture, one that must be implanted, nurtured and accepted gradually. It cannot be imposed from above, although organizational leadership can lead the way. However, in today’s unstable cyber warfare times, there is a need to recognize and react to the possibility of unreliable information. For example, if there is evidence of an active penetration attempt, information might have been altered. A disaster in a datacenter can wipe out massive amounts of data in a very short amount of time. It is events such as these that the quality of trust takes on new meaning. Can security technology be trusted to identify penetration attempts and to isolate possibly affected records and databases? Can disaster recovery plans be executed?
in such a way that the recovered information is current and accurate, at least within pre-established parameters for currency and accuracy? The answer is yes to these questions is yes if the authentic leader at the helm can figure out a way to test security under scenarios that can spell disaster for an organization. These are called disaster recovery exercises. Authentic leaders will put mechanisms in place while executing security processes and recovery activities to validate and assure the resulting data has not been altered, changed, and integrity remains intact. Authentic leadership will exhibit confidence onto the followers of set leader as the data in question will remain safe, sound and intact. Security is only as good as the way the leader applies it, it is very important for all readers of this dissertation always. The attributes of an authentic leader must be stated in terms of organizational leadership variables such as exemplary leadership and transformational leadership can only be established on the proactive steps and approaches to think ahead of the attackers and bad actors always. Authentic leadership is a staple of a good cyber security program culture. Strong leadership is required, but if a leader is not authentic in nature, he can possible disregard the cyber culture and may impair the organization’s ability to defend mission critical and sensitive data from lurking hackers and bad actors. The need for trusted information does not stop at an enterprise’s front door. Trust is essential among business partners, contractors, vendors and customers. The
concept of security’s being erected at the perimeter of an enterprise’s information systems has long been outmoded.6 Thus, the internal-external distinction has, become blurred, but it is meaningful nonetheless. There is a basis for trusting those who work together for a common purpose, with jointly held values and attitudes about the security of information resources (i.e., a culture of security) and those who may share some of the same incentives, but whose motivations ultimately diverge. While customers and suppliers have a mutuality of interest, there is an inherent adversarial relationship regarding information. In many enterprises, there are entire departments checking invoices against POs to make sure that there are no overcharges. However, an excessive bill is not indicative of a problem with security. The good faith in an enterprise’s security is most tested where one enterprise holds information regarding another (or of individuals). The issue is most starkly presented where the privacy of Personal Identifiable Information (PII) is concerned, but it is just as valid where the relationship is a business-to-business one. For example, a company would not want its buying patterns revealed lest its business strategy be made public as well, which necessitates that purchasing information must be kept secure, and sellers do not want to have any tampering with customer orders. Thus, the trust necessary to enlarge business relationships rests on good products and services, to be sure, but also on contracts, nondisclosure agreements and a general understanding that information will be secured diligently by both parties. Developing a strong cyber security program is not a project. There is no distinct beginning, middle or end. Indeed, it is a never-ending process as various cultures clash and collide within an enterprise. Nonetheless, there are discrete activities that can be carried out by those who would enhance the security culture within their enterprises. The first is a clear-eyed assessment of the current state of a security culture in parallel with gaining an understanding of the intentions of management regarding security. On this basis, the gaps between expectation and reality can be observed, analyzed and repaired. Of course, the reality may not lie in the words of management, but in their actions when faced with security-related decisions. Speaking of management, the authentic leader of the cyber security program must always must show the board of directors to recognize and accept the magnitude of the problem. Most importantly, show them why they should fund solutions that will help the cyber security program be the best it can be to help defend and protect their bottom line. Also, a true authentic leader must empower the board to be excited and remain positive and optimistic to solve problems directly and indirectly related to information and cyber security.
An authentic leader’s main responsibility in the form of an ISO or CISO must to prove time and time again why security is a necessity for the enterprise. By showing to the board and IT Management and making them understand where security is a strategic necessity will only help all parties involved coming together and showing with actions, artifacts, and most important results depicting strong leadership forming an effective and efficient security culture and program. The ISO and CISO are always accountable for the safety of all electronic data residing within and outside the enterprise in most cases, as well as keeping all IT systems running effectively with set security parameters. For example, server hardening, and implementing the CIS (Center for Information Security) Critical Controls to help achieve this paramount operational goal. An authentic leader that leads an effort of raising the urgency for strengthening the cyber security program will garner respect and admiration from the followers helping in this effort. But, the authentic leader must not want to take all the credit; in fact, they should show the business leadership that they can’t sit by with their arms across their shoulders waiting for a ISO or CISO to come to their rescue in case of a cyber-attack and, a breach if they are already inside the network. The CISO’s role is always to communicate the magnitude of the attack and/or breach and to present viable solutions to stop the bleeding and prevent the incident from ever happening again. A true authentic leader will look past personal accolades and focus strictly on giving enterprise leadership heads up and heed warnings relating to cyber and information security incidents.
Before jumping into the methodology, it is crucial to have another high-level overview about what an ISO and CISO utilizing an authentic leadership style can achieve. This includes leading and coordinating all preparatory, preventive, and detective and response activities in dealing with cyber breaches, incidents, and attacks. An authentic ISO or CISO will have a strong business background along with strong technical skills. This leader will lead and train all his team and followers to upgrade and test all IT infrastructure, not just infrastructure dealing with security. This leader will also make all decisions in dealing with closing down of systems, data centers if applicable and/or any network that is under attack including cloud networks that most often require the involvement of third party vendors. This leader will coordinate all functions dealing with cyber security. This includes and is not limited to legal, training, physical security, communications, and risk management and remediation. The ISO and CISO becomes a true authentic and in most scenarios, a transformational leader when dealing with issues such as reporting relationships. The ability to override the CIO (Chief Information Officer) of an organization if need be. Having inoculation from negative impacts of incorrect and correct decisions. This as you might think, it is a very difficult task. The ISO/CISO must sometimes get involved win conflicting corporate culture decision making activities to help defend the organization. Issues such as committees, chain of command or hierarchy and having a consensus-driven approach are all issues an authentic leadership style incorporator ISO/CISO might see in the tenure in this highly impactful, crucial and vital role for any enterprise, organization, or small business. The authentic leader must always be thinking two steps ahead of attackers and bad actors but also must be thinking two steps ahead of executive management. An authentic leadership driven ISO/CISO will collaborate closely with all IT management, specially their risk management and project management operational personnel. The ISO/CISO will continue to manage the enterprise while delegating the management of crisis or crises caused by failure of information and data from systems to teams designated in dealing with this type of event. Most enterprise and large-scaled organizations have CMT (Crisis Management Teams) in place to handle such events. As previously mentioned, the ISO/CISO must keep the board of directors informed always. If the ISO/CISO is part of a highly regulated organization such as a financial institution or healthcare entity, they must specifically have a plan to effective deal with regulators, shareholders, and other external stakeholders always as well. Michael S. Rogers, former Commander of the U.S. Cyber Command was once asked, is there a role for CEOs to play in working alongside the ISO/CISO? He answered, Yes. You don’t want your network-security team deciding unilaterally what’s important. The Commander raises a very good point, another major reason an authentic leader is needed to work alongside major players such as commanders, CEOs, and anybody at the C-Level executive management team to effectively lead the effort to keep data safe and protected from potential threats always. Authentic leader exists in all facets and domains of everyday life, but when an authentic leader enters the world of cyber and information security; it becomes another worldly experience. Cyber security culture and programs evolved from set cultures involve leadership, awareness, technological investments, and information sharing practices. Imagine all the authentic leadership involvement not just with one of these pillars of an effective and efficient cyber security culture and program but with all four. This makes a great case for the need for the best kind of leadership available to keep our information, our livelihoods, and our future safe from harm. The bad guys will never go away nor they will ever stop attacking and coming after us, therefore we need the best leaders available to fight back in the never-ending battle of cyber warfare and cyber threat risk management.
I examined the degree of satisfaction of cyber security outcomes from cyber and information security professionals (followers) of ISO and/or CISOs in their respective organizations. Organizations in scope range from many different organizational and business arenas, primarily all residing within the continental United States of America.
Since my research drew on a quantitative research design, I will be using a probability sampling technique because this allows a strong statistical inference and generalization from our sample of cyber professionals to all ISO/CISOs at their respective organizations. Such a probability sampling technique would provide greater external validity for my findings.
Authentic Leadership Questionnaire-ALQ
Operational Definitions for Independent Variables
Operational Definitions for Dependent Variables
Data Collection and Analysis