Phillimon Zongo, CEO and cofounder of Cyber Leadership Institute, a fast-growing community of cyberleaders from more than 50 countries.
Challenging economics are pushing organizations globally to cut cyber security budgets, lay off staff as well as freeze new hires and promotions. According to the 2024 ISC2 Cybersecurity Workforce Study, which polled a record 15,852 international practitioners and decision makers, “25% of respondents reported layoffs in their cybersecurity departments, a 3% rise from 2023, while 37% faced budget cuts, a 7% rise from 2023.” These cuts have immense impacts on cybersecurity teams’ ability to secure the organization.
In the next section, I offer five proven strategies chief information security officers (CISOs) can implement to sustain cyber resilience in the face of shrinking budgets based on my experience as a virtual CISO and collaborating with hundreds of cyber leaders.
Hire for diversity.
CISOs must resist the allure of hiring direct reports who say, “Yes, boss,” to all their suggestions. Rather, create a dynamic culture where staff can challenge misaligned cyber security ideas. Allocate a limited budget to hire skills that compensate for blind spots and quickly build transformation momentum. Diverse teams, according to research, reexamine facts more often and remain objective. They also hold each other accountable, keeping their joint cognitive resources sharp and vigilant. This eliminates waste and keeps small teams focused on what matters the most.
Create a culture where staff feel valued.
To sustain cyber resilience as budgets shrink, set the right cultural tone at the top. This requires dismantling command-style structures that stifle innovation and staff engagement. Consider routinely walking up to your staff’s desks and openly asking if there is anything your team could do better. Solicit your team’s views on cyber resilience strategies to ensure frontline staff feel valued and part of a strategy they helped create, not one superimposed on them.
You might consider replacing the proverbial stick with the carrot. One way to do so is implementing monthly Cyber Hero awards where cyber security staff nominate peers who go beyond the call of duty to uphold the virtues of the cyber transformation program. These can then be presented during company-wide town hall events, cascading key cyber transformation messages across the enterprise. CISOs should also avoid using the word “I” to send a clear and unequivocal message that they are not messiahs and that material success results from a shared vision and joint efforts, not siloed work.
It’s also important to constantly challenge old ways of doing things. For example, what’s the point mandating technical staff to spend four days a week in the office and waste dozens of hours commuting, only to be stuck on their screens resolving security incident tickets when they could be equally effective at home?
Promote teamwork and collaboration.
Michael Jordan, the six-time NBA champion and considered one of the greatest to have played the game, was right to say, “Talent wins games, but teamwork and intelligence win championships.” This maxim holds just as true in cyber security as in sports. Sustained cyber transformation requires cyber chiefs to actively nurture psychological safety—a deep-rooted belief that their teams are encouraged to experiment, make mistakes and learn from them without fearing for their jobs or other repercussions. Staying ahead of cyber threats against dwindling resources requires highly motivated teams that stick together during difficult moments. While individual successes should be celebrated, the CISO must zoom in on departmental performance indicators (KPIs) and actively recognize staff who promote teamwork and contribute towards broader goals.
But no CISO can sustain a collaborative culture without weeding out brilliant jerks. These are high-performing and technically decorated individuals who steal others’ glory, shoot down opposing ideas and prioritize their own success over everything else. It’s important to cut off these types of employees before they affect the well-being of your teams.
Eliminate useless projects.
Let’s face it: Most cyber security teams are overburdened with sacred cow projects—programs that have outlived their relevance and go over budget but are considered untouchable or immune to scrutiny. But cyber leadership demands courage—the guts to eliminate fuzzy security projects (like “to achieve zero trust by 2025”), freeing up the team to work on specific and high-impact projects with measurable outcomes.
Equally important, focus limited resources towards high-impact, clearly defined and measurable initiatives. By simplifying cybersecurity goals in the language of the business, reiterating the bigger why and tying individual and team KPIs to business goals, you give your team clarity of focus and a stronger sense of purpose.
For example, changing the ambiguous KPI “Facilitating penetration testing on all new APIs before go-live” to “Creating a detailed inventory of APIs and enforcing non-negotiable controls across 100% of APIs to ensure physicians have timely and secure access to patients’ healthcare information,” can not only provide a measurable goal but instill a stronger sense of purpose to security teams.
Looking Ahead
To drive lasting change against all odds, CISOs must relentlessly focus on cultural transformation. But doing so required her to carefully preserve the good aspects of the old culture, cutting off the toxic bits and unleashing her emotional intelligence to navigate a complex web of stakeholders.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
link