Cyber security has an identity issue. While some data breaches are driven by hackers, research shows that most breaches of cyber security are staff related, resulting from employees’ inadvertent use of technology (through either not understanding risks, mistakes, or lack of compliance with organisational policies) or deliberate actions by disgruntled employees.
The information security risks of a proliferation of communications and information technologies and devices, coupled with testing peoples’ understanding of complex and dynamic environmental changes and compliance, challenges accepted norms and definitions of the CISO professional role. While the professional status of CISOs is of ongoing academic and practitioner interest, what has been less well understood are the identity consequences of a rapidly changing IS ecosystem.
We were lucky enough to talk to Dr Juliette Summers, University of St. Andrews for her expert insights on how CISO identity threat could be leading us towards organisational vulnerability.
there is a risk of CISO exit if organisations do not fully understand the remit creep CISOs are experiencing.
Professional status and identity come with a considerable amount of sunk investment in terms of time, emotional ties and self-esteem. Any changes to role and context can threaten professional identity, which can result in reductions in performance, wellbeing and mental health, among other things. Identity threat can lead professionals to devalue the source of the threat and, if the threat is the increasing focus on HR in cyber security, this may lead to a lack of collaboration and an increased cyber security vulnerability.
With an ever-expanding cyber security sphere of activity, CISOs are under pressure to cover every aspect, including HR and not just an information security remit. Where demands on CISOs are increasingly outwith their traditional expertise domain, this can challenge accepted norms and definitions of their role. Such a discrepancy between desired CISO actions on the one hand (i.e., effectively dealing with cyber security) and constraints on those actions (i.e., other Senior Managers and Directors failing to understand these pressures and constraints), can threaten CISO effectiveness and reputation. Operating within this complex, challenging and dynamic environment brings with it the threat of credibility loss when CISOs’ responsibility involves those outwith IT. This can be experienced as a threat to professional role and identity.
Theory tells us that where a professional identity is affirmed and supported, it can also be dynamic and responsive to contextual changes in conditions. Therefore, while cyber security training and policy are necessary, they are not sufficient, and CISO identity is often overlooked leading to organisational vulnerability. To facilitate CISO effectiveness, and to manage cyber security with appropriate resilience, companies need to offer and support new and positive dimensions to the CISO role. If not, there is a risk of CISO exit if organisations do not fully understand the remit creep CISOs are experiencing.
About the author
Dr Juliette Summers is a lecturer in Management at the University of St Andrews, with a research focus on points of identity transition for individuals and groups within organisations. Her work informs private sector businesses, including the legal sector, accountancy, human resource management and academia. She is a Director of the Centre for Research in Equality, Diversity and Inclusion at University of St Andrews, and Associate Editor of the European Management Journal.