SlideShare a Scribd company logo

The Importance of Trust for Developing Tomorrow’s Information Security Leaders - SANS STI ISM5400 Essay

E
Ed Yuwono

Information Security failures are attributed to deficiencies in current leadership styles resulting in negative publicity and loss of revenue for the organisation. Concepts of transformational leadership may be applied to improve an organisation’s security posture. Transformational leadership provides information security leaders with appropriate guidance enabling the organisation to focus on delivery while employees adopt secure practices. To augment the exploration of leadership, this paper will focus on the aspect of trust which underpins several areas of leadership and the importance trust has for the development of future information security leaders.

Leadership & Management
1 of 19
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 1 The Importance of Trust for Developing Tomorrow’s Information Security Leaders SANS STI ISM5400 Reflective Essay Author: Ed Yuwono, Ed.Yuwono.MSISM at gmail.com Peer reviewer: Kenneth G. Hartman Accepted: December 2015 Abstract Information Security failures are attributed to deficiencies in current leadership styles resulting in negative publicity and loss of revenue for the organisation. Concepts of transformational leadership may be applied to improve an organisation’s security posture. Transformational leadership provides information security leaders with appropriate guidance enabling the organisation to focus on delivery while employees adopt secure practices. To augment the exploration of leadership, this paper will focus on the aspect of trust which underpins several areas of leadership and the importance trust has for the development of future information security leaders.
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 2 1. Introduction The prevalence of information and knowledge systems makes them prime targets for criminal exploitation. Exploitation such as data breaches and financial fraud share two common themes: negative public exposure and Information Security failures within organisations. Negative publicity has a detrimental impact on organisations in one or more of the following areas: share price, loyalty, goodwill, and/or trust. Failures in Information Security highlight an urgent change is required to organisational practices. These changes require leadership to facilitate a cultural shift allowing followers to embrace secure information handling practices. Failures in Information Security in 2015 include: the Ashley Madison data breach (Hackett, 2015), the OPM breach (Nakashima, 2015), along with financial fraud through computer misuse as seen with Carbanak (Kaspersky Lab, 2015), and the newswire hacks (Federal Bureau of Investigation, 2015). The effect of events such as these data breaches, impact both the organisation (IBM/Ponemon Institute, 2015) and the consumer (U.S. Securities and Exchange Commission, 2015). Information security leaders are under increasing pressure to address the issues during a time when information security failures are regular news bulletins. As the negative trend of data breaches increase, organisations are attributing breaches to the lack of security professionals (Drinkwater, 2015) and are scrambling to address the issue through extra expenditure on professionals (Peeler & Messer, 2015) and security (Morgan, 2015). The shortfall of qualified security professionals present organisations with a major challenge, the inability to secure systems against internal and external threats in line with the growing public notoriety of attacks. Over the last two years, there has been an increase in the cost of cybercrime and frequency of attacks (IBM/Ponemon Institute, 2015). Despite the increase in expenditure on security, the root cause of the issue remains with employees not adopting secure practices. As with previous years, the Verizon Data Breach Investigation Report 2015 highlighted that people account for 90% of incidents (Verizon Enterprise Solutions, 2015). Verizon states that for the category of insider misuse (intentional and Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 3 unintentional) is the top category for breaches. The report attributes insider misuse as trusted employees abusing their status for the sake of convenience (Verizon Enterprise Solutions, 2015). In fact, breaches due to end user compliancy extend across several categories including: social engineering, exploiting point of sale devices, web app attacks through end user devices, physical theft/loss occurring at the victim’s work area, and general user error (Verizon Enterprise Solutions 2015). Despite the increase in security expenditure, behaviours in employees are not changing (Verizon Enterprise Solutions, 2015). Compounded by the abundance of new technologies, CSO/CISOs will need to adapt their thinking from denying employees access to one of permitting with caution (Harkins, 2013). The need for information security leaders to guide employees into undertaking secure behaviours is critical to reducing the trend. Transformational leadership and the aspect of trust in information security leadership are two concepts that help contribute towards leading employees into adopting secure practices. Transformational leadership is the concept of aligning interests of the organisation and its employees through empowerment (Bass, 1999). Several concepts defined within transformational leadership serve to promote the internalisation of secure behaviours in employees. One concept promoting employee involvement could lead to the internalisation of organisational beliefs and providing a positive change to the organisation’s security posture (Bass, 1999). Trust is required to help facilitate the shift towards the transformational leadership model (Bass, 1999). Trust has many incarnations, all of which are critical to the success of an organisation, from minimising risk between working parties (Mayer, Davis, & Schoorman, 1995) to the potential of trust becoming a commodity that could be traded on the open market (Harkins, 2013). While the discussion of trust in this paper is focused on transformational leadership, the importance of trust in general, cannot be understated. This paper will Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 4 explore the deep relationship between trust and transformational leadership and how transformational leadership can be applied by information security leaders. Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 5 2. Trust: A Key Aspect for Leadership Development Trust is a fundamental element required for two parties to transact; without it, organisations will be plagued with problems. Parties could consist of two peers or in the context of this paper, a leader and a follower. Research completed by ToleroSolutions show that 45% of employees state that the lack of trust in leadership is the biggest issue affecting work performance (Morgan, J. 2014). To introduce the concept of Trust with respect to leadership, transformational leadership and its applicability to information security, we define trust in a qualitative form providing a means for discussion and assessment. To demonstrate the importance of trust in leadership development, we explore the following hypotheses: • the presence of trust is essential for leadership, • the current style of organisational leadership falls short at promoting an information security mindset in employees, and • trust is a foundation for transformational leadership. Finally, we merge the elements of trust and transformational leadership to examine them both in the context of information security and its potential application of transformational leadership in future information security leaders. 2.1. Quantifying Trust There are several key concepts and factors to consider when defining trust for assessment and the purpose of discussion. Trust is defined when the trusting party (trustor) is willing to be accountable to undertake a specific action passed from the trusted party (trustee); the specific action from the trustor is of importance to the trustee and the action being undertaken is made free of any scrutinizing or coercing (Mayer, Davis, and Schoorman, 1995). Importantly, in order to satisfy the definition of trust, an element of risk must be present in the action being undertaken (Mayer, Davis, and Schoorman, 1995). A follower that is willing to undertake a risky action must trust the leader and believe that the resulting action would benefit both parties. An example is that of a follower completing a Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 6 major change on behalf of the leader, which would improve the organisation, and the follower being recognized for their efforts. Bass defines trust as being between two individuals and not en-masse (Bass, 1999). Understanding this relationship is important. While a leader could present their trustworthiness to a group, ultimately it is the follower who sees the leader as being trustworthy. This paper will draw on the concepts above to highlight why trust is essential within organisations. 2.2. Organisational Leadership and Trust The principle of transactional leadership is centred on an exchange between one party and another in order satisfy the leader’s need (Kuhnert & Lewis, 1987). The resulting exchange would need to benefit both parties appropriately otherwise; inequalities within the transaction could lead to the withdrawal of the other party. An example of this is the inadequate remuneration from employers resulting in a high turnover of employees (Kuhnert & Lewis, 1987). Deficiencies in transactional leadership force organisations to seek other means to renumerate employees. Maslow defines a hierarchy of needs illustrating an individual’s requirement for survival and their standing within a particular social class (SANS Institute, 2013). According to the hierarchy, financial remuneration would satisfy the basic needs of an employee (SANS Institute, 2013). However, employees seeking to progress up Maslow’s hierarchy require other incentives in order to maintain motivation (SANS Institute, 2013). Leaders could use Maslow’s ideas to maintain motivation in followers. An example of maintaining motivation is through extrinsic motivation, where it is delivered through a reward or goal attainment and satisfies the higher level need for Esteem within Maslow’s hierarchy (SANS Institute, 2013). One example of the application of trust is where incentives are not immediately deliverable. For example, a successful organisation requires trust in a leader’s ability to deliver a bonus upon completion to avoid demotivating employees. Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 7 2.2.1. Importance of Trust within Leadership Regardless of leadership style, trust underpins several areas of leadership and is critical for the success of any leader. The success of a leader requires competency across several skill areas (SANS Institute, 2013), including and not limited to communication, innovation, motivation, team development. Trust is embedded into each skill area as it requires an interaction between the leader and a follower. Research conducted by Zeffane, Tipu & Ryan (2011) in the area of communication concluded that there is a strong relationship between communication, commitment and trust, with trust being key to the relationship. In fact, trust extends to other leadership skill areas, including and not limited to: innovation (Ellonen, Blomqvist, & Puumalainen, 2008), motivation (Gagné, & Deci, 2005) and team development (Spector, & Jones, 2004). The importance of trust in leadership is so paramount that Warren Bennis, a leader in organisational leadership, distilled four competencies of successful leaders, one of those competencies being trust (Bennis, 1993). This confirms the first hypothesis stating that trust is one of the most important traits that a leader must possess in order to lead employees within an organisation. 2.2.2. Limitations of the Current Forms of Leadership The present form of transactional leadership presents several issues, especially when Information Security is often perceived by senior management as a ‘non-core’ organisational function. An organisational function that does not deliver defined organisational benefits, such as financial or productivity benefits is defined as ‘Non- core’. While there is little research into the failures transactional leadership has on Information Security, we draw parallels with other perceived ‘non-core’ organisational areas. A study by Groves & LaRocca (Groves, & LaRocca, 2011) on a non-core organisational area, Corporate Social Responsibility (CSR), reveals several interesting Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 8 similarities. Their research on CSR compares transactional leadership along with transformational leadership. Firstly, it is important to discuss that a need for change stems from the public notoriety surrounding information security incidents. The parallel drawn relates to corporate scandals and the demise of businesses. Groves & LaRocca raises concerns behind the absence or weaknesses of CSR within organizations such as Enron, Lehman Brothers and Bear Sterns, leading to a major catastrophe (Groves, & LaRocca, 2011). A similar situation applies to information security where a disruption of organizational assets hosted on information systems could also lead to a major catastrophe. This is evident in numerous cases where organisations file for insolvency or have consequently shut down after a catastrophic security event, such as a breach: Diginotar (Zetter, 2011), Mt Gox (Takemoto, & Knight, 2014) and Altegrity (Fitzgerald, 2015). Secondly, as there is an associated cost with any interaction, transactional leaders focus on delivery and are not willing to go above and beyond the call of duty. The following quote noted the reluctance of transactional leaders promoting CSR: “research suggests that the transactional leadership process is based upon utilitarian values and reciprocity norms, which are unlikely to generate strong beliefs in stakeholder perspective on CSR.” (Groves, & LaRocca, 2011). As with the concept of CSR, employees are less likely to adopt information security best practices unless they are provided with an incentive or they are coerced. As non-core functions would incur an additional expense, there is reluctance for organisations to divert resources away from core activities. Reluctance is further exacerbated within organisations bound by limited budgets or resources. With this thought, a transactional leader would very difficult to instil a culture of security within the organisation. While no data is available supporting theories that a poor security culture in organisations is due to transactional leadership shortcomings, there is historical data demonstrating that organisational change is required to promote information security. Verizon stated that over 11 years, breaches attributed to employees continue to count for the majority of data breaches (Verizon Enterprise Solutions, 2015). Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 9 The correlation between CSR and information security serves to hold the second hypothesis stating that the current form of leadership is inadequate to promote a strong information security mindset in employees. Just as there is an important requirement for CSR within organisations to promote ethical values, the same requirement could be expressed for information security. 2.3. The Importance of Transformational Leadership While transactional leadership has its place to serve the lower needs of Maslow’s hierarchy, the limitations found in transactional leadership could be addressed through the introduction of transformational leadership (Bass, 1999). Transformational leadership is the leaders’ ability to motivate people to want to change, improve and to be led (Hall, Johnson, Wysocki & Kepner, 2002). This differs from transactional leadership, where the leader focuses on delivery, contrasting with transformational leadership, where the leader focuses on empowering followers (Bass, 1999). The power of transformational leadership is realised as followers take ownership for the success of an organisation. This behaviour is best observed in a cooperative organisation, where all members have a vested interest and their personal actions contribute to the success of the organisation. Core to transformational leadership are four factors known as the ‘four I’s’: idealized influence, inspirational motivation, intellectual stimulation and individual consideration (Hall, Johnson, Wysocki & Kepner, 2002). 2.3.1. Developing a Leader Through Trust and Transformational Leadership As with transactional leadership, trust also has a strong presence within transformational leadership. This section will provide evidence that trust is rooted within the ‘four I’s’ —the essential foundations for transformational leadership. Leaders possessing idealised influence are trusted to make good decisions that benefit the organisation (Hall, Johnson, Wysocki & Kepner, 2002). Explained below, Mayer et al’s (1995) definition of trustworthy aligns the relationship between trust and Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 10 idealised influence. Mayer, et al, deconstructs trustworthiness down to three main factors: ability, benevolence, and integrity. Ability requires the leader to be skilled in a particular domain (Mayer, Davis, and Schoorman, 1995). Without the appropriate skills, the leader could not make good decisions for the organisation. Benevolence is the leader’s capacity to want to be able to perform with the best interests of the organisation (Mayer, Davis, and Schoorman, 1995), aligning with the definition of idealised influence. Finally, integrity is the alignment and adoption of a set of principles (Mayer, Davis, and Schoorman, 1995), where the leader is aligned with the organisation that they are accountable to and reflects their values. The ability to motivate employees to commit to the vision of the organisation is defined as Inspirational motivation (Hall, Johnson, Wysocki & Kepner, 2002). It is important to note that motivation is not maintained through further incentives rather, motivation is maintained by ensuring that employees are not de-motivated (SANS Institute, 2013). Through intrinsic motivation, a leader allows a follower to undertake important tasks in order to avoid de-motivation (SANS Institute, 2013). Important tasks used as motivators are defined by Herzberg to include responsibility and job challenges (SANS Institute, 2013). The follower assumes ownership of the task and possesses the inclination to complete it with additional attention (SANS Institute, 2013). In doing so, the leader bears risk by trusting the follower to undertake the task (Mayer, Davis, and Schoorman, 1995). Conversely, Mayer et al, noted that an organisation with low trust leads to increased monitoring of employees which creates a demoralizing effect that could result with employees striking back, establishing a tit-for-tat environment (Mayer, Davis, and Schoorman, 1995). Intellectual Stimulation defines leaders who encourage creativity through intellectual challenges (Hall, Johnson, Wysocki & Kepner, 2002). To illustrate trust for the criteria of Intellectual Stimulation, research from Ellonen et al, shows that trust Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 11 through foundations established by the organisation is a major contributor in promoting a culture of innovation (Ellonen, Blomqvist, & Puumalainen, 2008). Ellonen et al relates reliability to Mayer et al’s definition of integrity where reliability in leadership supporting innovation is ‘critical’ to steer innovation (Ellonen, Blomqvist, & Puumalainen, 2008). Individual consideration defines leaders as mentors helping followers achieve mutual organisational and personal goals (Hall, Johnson, Wysocki & Kepner, 2002). When aligned with a common vision, both the leader and the follower work together to achieve a common goal. A trustworthy leader will possess the ability to lead within the follower’s domain, demonstrating to the follower that the goal is also for their benefit (Mayer, Davis, and Schoorman, 1995). The common vision can build trust in two ways: between followers towards the organisation and also between leadership and their followers. Building trust between followers and the organisation occurs by training managers on how to empower followers to take initiative and to operate autonomously (Gagné, & Deci, 2005). Secondly, leaders that are trustworthy possess ability, benevolence and integrity. These traits are important for leaders to mentor followers benefiting both the follower and the organisation (Mayer, Davis, and Schoorman, 1995). The presence and importance of trust within the four I’s satisfy the third hypothesis that trust is required in transformational leadership. 3. Developing Information Security Leaders through Transformational Leadership There is evidence that transformational leadership has a place in the development of information security leadership to instil a culture of security within an organisation. Harkins applied several transformational leadership concepts during his tenure as Intel’s first CISO. Harkins defined information security professionals as being in the “behaviour modification business”, indicating that security professionals must change behaviour in Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 12 order to improve the organisation’s security posture (Harkins, M. 2013). This resonates with the core of transformational leadership. Information Security leaders must develop their organisations beyond the basic level of compliance to avoid being susceptible to compromise. By making the organisation more aware of the threats, their security posture increases beyond that of compliance alone (Harkins, M. 2013). To achieve this, Harkins seeks to move from employees possessing ‘compliant’ behaviour over to ‘committed’ behaviour (Harkins, M. 2013), similar to what Groves, & LaRocca pointed out with respect to CSR (Groves, & LaRocca, 2011). Harkins realizes the pitfalls with current styles of information security leadership and he encourages leaders to establish a ‘process’ to lead employees to adopt a personal stake in information security (Harkins, M. 2013). He defines ‘committed behaviour’ as being able to define an emotional relationship with security, such that employees will act beyond their call of duty (Harkins, M. 2013). Harkins’ definition of ‘committed’ behaviour is in line with the core of transformational leadership, adopting the same approach where leaders possess the ability to get people to change, improve and be led (Hall, Johnson, Wysocki & Kepner, 2002). Applications of Transformational Leadership through the concepts defined by the four I’s and the requirement for trust is seen in Harkins’ leadership style. Influencing employees to adopt secure behaviours at work and at home requires Harkins to possess Idealised Influence. The reason Harkins is seen by Intel as trustworthy is because he demonstrates that he is a champion within the information security domain, performing with the best interests of all parties and adopting principles, which are aligned with the organisation (Harkins, M. 2013). Harkins was quoted as saying, “If employees trust us, they are more likely to believe our warnings and act on our recommendations” (Harkins, M. 2013). This highlights the importance of trust in Information Security leadership. One demonstration of Idealised Influence is the fact that Harkins elevates himself to serve as a role model for security within Intel. He achieves this through frequent communication with managers about information security (Harkins, M. 2013). When Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 13 noticing an increase in laptop theft resulting in the loss of information, Harkins highlights the thefts to managers with the aim to reduce losses (Harkins, M. 2013). With respect to information security, the positive response from Intel employees during a HR survey was an example of Inspirational motivation. The survey commissioned through an external organisation on behalf of Intel HR was thwarted when employees mistakenly reported it as a phishing attempt to the security team (Harkins, M. 2013). An application of Intellectual Stimulation is demonstrated within Intel through permitting the use of personal devices for corporate use. Through the mantra ‘protect to enable,’ Harkins aligns information security with Intel’s organisational culture which promotes innovation (Harkins, M. 2013). By challenging traditional information security beliefs regarding the use of personal devices in the organisation, Harkins has permitted the use of personal devices for corporate use (Harkins, M. 2013). Harkins states that, as employees are the owners of the device, employees will take better care of devices (Harkins, M. 2013). This innovative thinking resulted in reducing the loss of devices, thus also reducing the instance of data loss (Harkins, M. 2013). Another success story combining trust and aspects of transformational leadership involves the exchange of threat information with other organisations. Legal and competition threats makes the exchange of threat information to be a high risk move. Intellectual Stimulation through innovation allowing the exchange of threat information has enabled Intel to gain valuable insights in several areas, such as best practices for managing security operations (Harkins, M. 2013). This can only be achieved by promoting both Intellectual Stimulation and Individual Consideration. Highlighting the importance of trust, Harkins adopts a sliding scale where, the more trustworthy the external organisation is, the higher the sensitivity of the information that can be shared (Harkins, M. 2013). Likewise, organisations must place a lot of trust in Harkins and Intel before exchanging information with them. Relating threats directly to an individual’s personal life invokes a sense of Individual Consideration, where leaders help followers achieve mutual goals that benefit both the individual and the organisation (Hall, Johnson, Wysocki & Kepner, 2002). In Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 14 one example, Harkins states that he taps into an individual’s emotions in order to highlight the importance of security (Harkins, M. 2013). Further to this, he carries this theme on to other aspects of personal life such as keeping children safe online and tips for wireless security at home (Harkins, M. 2013). Importantly, Harkins recognises the need to align organisational and personal values in order to create trust (Harkins, M. 2013). The combination of these factors has provided Intel with a strong security posture. One example of this can be seen through the physical loss of laptops. Harkins states that the loss was less than 1% annually over several years, significantly lower than the industry standard of 5-10% annually (Harkins, M. 2013). Relating transformational leadership to efforts as demonstrated by Harkins and his initiatives in Intel, future information security leaders could benefit immensely from adopting transformational leadership and creating a culture of trust. 4. Conclusion Trust is the core to creating successful information security leaders. Empowering followers through trust and transformational leadership is a powerful means to increase an organisation’s information security posture. Powerful benefits, such as autonomy, development and intrinsic motivation amongst followers, aid both the organisation and the individual. Trust is the catalyst to facilitate the adoption of these benefits. 5. Further Research Applications of transformational leadership have the potential to promote further proactive behaviours, such as adopting secure development mindsets and developing detective behaviour. While this paper examine components of transformational leadership applied within one organisation, further research could investigate other organisations to see if transformational leadership has been applied with success within the realm of Information Security leadership. Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 15 Conversely, while this paper focuses on the benefits trust has on leadership and information security, the absence of trust provides an opportunity for further research. Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 16 References Bass, B. M. (1999). Two decades of research and development in transformational leadership. European Journal of Work and Organizational Psychology, 8(1), 9- 32. doi:10.1080/135943299398410 Bennis, W. G. (1993). An invented life: Reflections on leadership and change. Reading, MA: Addison-Wesley Pub. Co. Drinkwater, D. (2015, April 16). Cyber-security pros blame breaches on skills gap. Retrieved Sep 26, 2015 from http://www.scmagazineuk.com/cyber-security-pros- blame-breaches-on-skills-gap/article/409393/ Ellonen, R., Blomqvist, K., & Puumalainen, K. (2008). The role of trust in organisational innovativeness. European Journal of Innovation Management, 11(2), 160-181. Federal Bureau of Investigation. (2015, August 11). FBI — Nine people charged in largest known computer hacking and securities fraud scheme. Retrieved Sep 26, 2015 from https://www.fbi.gov/newyork/press-releases/2015/nine-people- charged-in-largest-known-computer-hacking-and-securities-fraud-scheme Fitzgerald, P. (2015, August 20). U.S. settles whistleblower suit against Altegrity. Retrieved Oct 10, 2015 from http://www.wsj.com/articles/u-s-settles- whistleblower-suit-against-altegrity-1440090102 Gagné, M., & Deci, E. L. (2005). Self-determination theory and work motivation. Journal of Organizational behavior, 26(4), 331-362. Groves, K. S., & LaRocca, M. A. (2011). An empirical study of leader ethical values, transformational and transactional leadership, and follower attitudes toward Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 17 corporate social responsibility. Journal of Business Ethics, 103(4), 511-528 doi 10.1007/s10551-011-0877-y Hackett, R. (2015, August 26). Ashley Madison hack: Everything to know. Retrieved Sep 26, 2015 from http://fortune.com/2015/08/26/ashley-madison-hack/ Hall, J., Johnson, S., Wysocki, A., & Kepner, K. (2002, June). Transformational leadership: The transformation of managers and associates. Retrieved Sep 19, 2015 from http://edis.ifas.ufl.edu/hr020 Harkins, M. (2013). Managing risk and information security: Protect to enable. New York: Apress. IBM/Ponemon Institute. (2015, May). IBM 2015 Cost of data breach study. Retrieved Sep 19, 2015 from http://www.ibm.com/security/data-breach Kaspersky Lab. (2015, February 16). The great bank robbery: The Carbanak APT. Retrieved Sep 19, 2015 from https://securelist.com/blog/research/68732/the- great-bank-robbery-the-carbanak-apt/ Kuhnert, K. W., & Lewis, P. (1987). Transactional and transformational leadership: A constructive/developmental analysis. Academy of Management review, 12(4), 648-657. Mayer, R. C., Davis, J. H., & Schoorman, F. D. (1995). An integrative model of organizational trust. Academy of Management Review, 20(3), 709-734. Morgan, J. (2014, September 11). Trust in the workplace: What happened to it, and how do we get it back. Retrieved Nov 23, 2015, from http://www.forbes.com/sites/jacobmorgan/2014/09/11/trust-in-the-workplace- what-happened-to-it-and-how-do-we-get-it-back/ Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 18 Morgan, S. (2015, July 9). Worldwide cybersecurity market continues its upward trend. Retrieved Sep 26, 2015, from http://www.csoonline.com/article/2946017/security-leadership/worldwide- cybersecurity-market-sizing-and-projections.html Nakashima, E. (2015, July 9). Hacks of OPM databases compromised 22.1 million people, federal authorities say. Retrieved Sep 26, 2015 from http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/09/hack-of- security-clearance-system-affected-21-5-million-people-federal-authorities-say/ Peeler, J., & Messer, A. (2015, April 17). (ISC)² Study: Workforce shortfall due to hiring difficulties despite rising salaries, increased budgets and high job satisfaction rate. Retrieved Sep 26, 2015 from http://blog.isc2.org/isc2_blog/2015/04/isc-study-workforce-shortfall-due-to- hiring-difficulties-despite-rising-salaries-increased-budgets-a.html SANS Institute. (2013). MGT514.5: Leadership and management competencies. Author. Spector, M. D., & Jones, G. E. (2004). Trust in the workplace: Factors affecting trust formation between team members. The Journal of social psychology, 144(3), 311-321. Takemoto, Y., & Knight, S. (2014, February 28). Mt. Gox files for bankruptcy, hit with lawsuit. Retrieved from http://www.reuters.com/article/2014/02/28/us-bitcoin- mtgox-bankruptcy-idUSBREA1R0FX20140228 U.S. Securities and Exchange Commission. (2015, September 22). Investor alert: Identity theft, data breaches and your investment accounts. Retrieved Sep 26, Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
The Importance of Trust for Developing Tomorrow’s Information Security Leaders 19 2015 from http://www.sec.gov/oiea/investor-alerts- bulletins/ia_databreaches.html Verizon Enterprise Solutions. (2015, July 9). 2015 Data Breach Investigations Report (DBIR). Retrieved Sep 19, 2015 from http://www.verizonenterprise.com/DBIR/2015/ Walder, N., Stempel, J., & Ax, J. (2015, August 12). Hackers stole secrets for up to $100 million insider-trading profit. Retrieved Sep 27, 2015 from http://www.reuters.com/article/2015/08/12/us-cybercybersecurity-hacking- stocks-arr-idUSKCN0QG1EY20150812 Zeffane, R., Tipu, S. A., & Ryan, J. C. (2011). Communication, commitment & trust: Exploring the triad. International Journal of Business and Management, 6(6), 77-87 Zetter, K. (2011, September 20). DigiNotar files for bankruptcy in wake of devastating hack. Retrieved Oct 17, 2015 from http://www.wired.com/2011/09/diginotar- bankruptcy/ Ed Yuwono;Ed.Yuwono.MSISM at gmail.com

Recommended

Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voiceIBM India Smarter Computing
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
The meaning of security in the 21st century
The meaning of security in the 21st centuryThe meaning of security in the 21st century
The meaning of security in the 21st centuryThe Economist Media Businesses
 
Journal+Feature-InsiderThreat
Journal+Feature-InsiderThreatJournal+Feature-InsiderThreat
Journal+Feature-InsiderThreatAnthony Buenger
 
infosec-it
infosec-itinfosec-it
infosec-itMichael Trofi Jr. CISSP, CISM, CGEIT
 

Recommended

Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voiceIBM India Smarter Computing
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
The meaning of security in the 21st century
The meaning of security in the 21st centuryThe meaning of security in the 21st century
The meaning of security in the 21st centuryThe Economist Media Businesses
 
Journal+Feature-InsiderThreat
Journal+Feature-InsiderThreatJournal+Feature-InsiderThreat
Journal+Feature-InsiderThreatAnthony Buenger
 
infosec-it
infosec-itinfosec-it
infosec-itMichael Trofi Jr. CISSP, CISM, CGEIT
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
Esther R. Sawyer Research Manuscript - Final
Esther R. Sawyer Research Manuscript - Final Esther R. Sawyer Research Manuscript - Final
Esther R. Sawyer Research Manuscript - Final Andrew John Hagen
 
PriceWaterhouseCoopers: Information Security 2010 - Trial by Fire (Survey)
PriceWaterhouseCoopers: Information Security 2010 - Trial by Fire (Survey)PriceWaterhouseCoopers: Information Security 2010 - Trial by Fire (Survey)
PriceWaterhouseCoopers: Information Security 2010 - Trial by Fire (Survey)United Interactive™
 
PWC Survey 2010 Report
PWC Survey 2010 ReportPWC Survey 2010 Report
PWC Survey 2010 ReportKim Jensen
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
Taming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperTaming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperIBM India Smarter Computing
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
Cyber Management vfd
Cyber Management vfdCyber Management vfd
Cyber Management vfdLadd Muzzy
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentIBM Security
 
Effects of Internal Communication on Employee Engagement
Effects of Internal Communication on Employee EngagementEffects of Internal Communication on Employee Engagement
Effects of Internal Communication on Employee EngagementBenjamin Henson
 
Classmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxClassmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxbartholomeocoombs
 
Awareness is only the first step
Awareness is only the first stepAwareness is only the first step
Awareness is only the first stepHewlett Packard Enterprise Business Value Exchange
 

More Related Content

What's hot

Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
Esther R. Sawyer Research Manuscript - Final
Esther R. Sawyer Research Manuscript - Final Esther R. Sawyer Research Manuscript - Final
Esther R. Sawyer Research Manuscript - Final Andrew John Hagen
 
PriceWaterhouseCoopers: Information Security 2010 - Trial by Fire (Survey)
PriceWaterhouseCoopers: Information Security 2010 - Trial by Fire (Survey)PriceWaterhouseCoopers: Information Security 2010 - Trial by Fire (Survey)
PriceWaterhouseCoopers: Information Security 2010 - Trial by Fire (Survey)United Interactive™
 
PWC Survey 2010 Report
PWC Survey 2010 ReportPWC Survey 2010 Report
PWC Survey 2010 ReportKim Jensen
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
Taming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperTaming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperIBM India Smarter Computing
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
Cyber Management vfd
Cyber Management vfdCyber Management vfd
Cyber Management vfdLadd Muzzy
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise The Economist Media Businesses
 

What's hot (18)

Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
Esther R. Sawyer Research Manuscript - Final
Esther R. Sawyer Research Manuscript - Final Esther R. Sawyer Research Manuscript - Final
Esther R. Sawyer Research Manuscript - Final
 
PriceWaterhouseCoopers: Information Security 2010 - Trial by Fire (Survey)
PriceWaterhouseCoopers: Information Security 2010 - Trial by Fire (Survey)PriceWaterhouseCoopers: Information Security 2010 - Trial by Fire (Survey)
PriceWaterhouseCoopers: Information Security 2010 - Trial by Fire (Survey)
 
PWC Survey 2010 Report
PWC Survey 2010 ReportPWC Survey 2010 Report
PWC Survey 2010 Report
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respond
 
Taming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperTaming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paper
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
Cyber Management vfd
Cyber Management vfdCyber Management vfd
Cyber Management vfd
 
Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise Protecting the brand—cyber-attacks and the reputation of the enterprise
Protecting the brand—cyber-attacks and the reputation of the enterprise
 

Similar to The Importance of Trust for Developing Tomorrow’s Information Security Leaders - SANS STI ISM5400 Essay

Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentIBM Security
 
Effects of Internal Communication on Employee Engagement
Effects of Internal Communication on Employee EngagementEffects of Internal Communication on Employee Engagement
Effects of Internal Communication on Employee EngagementBenjamin Henson
 
Classmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxClassmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxbartholomeocoombs
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital FutureCognizant
 
Trust by Design: Rethinking Technology Risk
Trust by Design: Rethinking Technology RiskTrust by Design: Rethinking Technology Risk
Trust by Design: Rethinking Technology RiskSwatantra Kumar
 
Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013EY
 
Security Culture, Top Management, and Training on Security Effectiveness: A C...
Security Culture, Top Management, and Training on Security Effectiveness: A C...Security Culture, Top Management, and Training on Security Effectiveness: A C...
Security Culture, Top Management, and Training on Security Effectiveness: A C...IJCNCJournal
 
SECURITY CULTURE, TOP MANAGEMENT, AND TRAINING ON SECURITY EFFECTIVENESS: A C...
SECURITY CULTURE, TOP MANAGEMENT, AND TRAINING ON SECURITY EFFECTIVENESS: A C...SECURITY CULTURE, TOP MANAGEMENT, AND TRAINING ON SECURITY EFFECTIVENESS: A C...
SECURITY CULTURE, TOP MANAGEMENT, AND TRAINING ON SECURITY EFFECTIVENESS: A C...IJCNCJournal
 
These are 4 discussions posts responses, I need one response per p.docx
These are 4 discussions posts responses, I need one response per p.docxThese are 4 discussions posts responses, I need one response per p.docx
These are 4 discussions posts responses, I need one response per p.docxrandymartin91030
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxstirlingvwriters
 
Cyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attentionCyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attentionRamón Gómez de Olea y Bustinza
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Ideba
 
The CDO and the Delivery of Enterprise Value
The CDO and the Delivery of Enterprise ValueThe CDO and the Delivery of Enterprise Value
The CDO and the Delivery of Enterprise ValueMark Albala
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingwardell henley
 

Similar to The Importance of Trust for Developing Tomorrow’s Information Security Leaders - SANS STI ISM5400 Essay (20)

Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer Assessment
 
Effects of Internal Communication on Employee Engagement
Effects of Internal Communication on Employee EngagementEffects of Internal Communication on Employee Engagement
Effects of Internal Communication on Employee Engagement
 
Classmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxClassmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docx
 
Awareness is only the first step
Awareness is only the first stepAwareness is only the first step
Awareness is only the first step
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
 
Trust by Design: Rethinking Technology Risk
Trust by Design: Rethinking Technology RiskTrust by Design: Rethinking Technology Risk
Trust by Design: Rethinking Technology Risk
 
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams 5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
 
Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013
 
Security Culture, Top Management, and Training on Security Effectiveness: A C...
Security Culture, Top Management, and Training on Security Effectiveness: A C...Security Culture, Top Management, and Training on Security Effectiveness: A C...
Security Culture, Top Management, and Training on Security Effectiveness: A C...
 
SECURITY CULTURE, TOP MANAGEMENT, AND TRAINING ON SECURITY EFFECTIVENESS: A C...
SECURITY CULTURE, TOP MANAGEMENT, AND TRAINING ON SECURITY EFFECTIVENESS: A C...SECURITY CULTURE, TOP MANAGEMENT, AND TRAINING ON SECURITY EFFECTIVENESS: A C...
SECURITY CULTURE, TOP MANAGEMENT, AND TRAINING ON SECURITY EFFECTIVENESS: A C...
 
These are 4 discussions posts responses, I need one response per p.docx
These are 4 discussions posts responses, I need one response per p.docxThese are 4 discussions posts responses, I need one response per p.docx
These are 4 discussions posts responses, I need one response per p.docx
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docx
 
Cyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attentionCyber security: five leadership issues worthy of Board and executive attention
Cyber security: five leadership issues worthy of Board and executive attention
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist
 
The CDO and the Delivery of Enterprise Value
The CDO and the Delivery of Enterprise ValueThe CDO and the Delivery of Enterprise Value
The CDO and the Delivery of Enterprise Value
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 

Recently uploaded

internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic managementharfimakarim
 
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in DelhiIndependent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhiguptaswati8536
 
Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Ram V Chary
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxalinstan901
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentNimot Muili
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxAaron Stannard
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdfAlejandromexEspino
 
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Hedda Bird
 
Strategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal AnalsysisStrategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal Analsysistanmayarora45
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field ArtilleryKennethSwanberg
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxssuserf63bd7
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxAss.Prof. Dr. Mogeeb Mosleh
 

Recently uploaded (15)

internal analysis on strategic management
internal analysis on strategic managementinternal analysis on strategic management
internal analysis on strategic management
 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in DelhiIndependent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
 
Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
 
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
 
Strategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal AnalsysisStrategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal Analsysis
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docx
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptx
 

The Importance of Trust for Developing Tomorrow’s Information Security Leaders - SANS STI ISM5400 Essay

  • 1. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 1 The Importance of Trust for Developing Tomorrow’s Information Security Leaders SANS STI ISM5400 Reflective Essay Author: Ed Yuwono, Ed.Yuwono.MSISM at gmail.com Peer reviewer: Kenneth G. Hartman Accepted: December 2015 Abstract Information Security failures are attributed to deficiencies in current leadership styles resulting in negative publicity and loss of revenue for the organisation. Concepts of transformational leadership may be applied to improve an organisation’s security posture. Transformational leadership provides information security leaders with appropriate guidance enabling the organisation to focus on delivery while employees adopt secure practices. To augment the exploration of leadership, this paper will focus on the aspect of trust which underpins several areas of leadership and the importance trust has for the development of future information security leaders.
  • 2. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 2 1. Introduction The prevalence of information and knowledge systems makes them prime targets for criminal exploitation. Exploitation such as data breaches and financial fraud share two common themes: negative public exposure and Information Security failures within organisations. Negative publicity has a detrimental impact on organisations in one or more of the following areas: share price, loyalty, goodwill, and/or trust. Failures in Information Security highlight an urgent change is required to organisational practices. These changes require leadership to facilitate a cultural shift allowing followers to embrace secure information handling practices. Failures in Information Security in 2015 include: the Ashley Madison data breach (Hackett, 2015), the OPM breach (Nakashima, 2015), along with financial fraud through computer misuse as seen with Carbanak (Kaspersky Lab, 2015), and the newswire hacks (Federal Bureau of Investigation, 2015). The effect of events such as these data breaches, impact both the organisation (IBM/Ponemon Institute, 2015) and the consumer (U.S. Securities and Exchange Commission, 2015). Information security leaders are under increasing pressure to address the issues during a time when information security failures are regular news bulletins. As the negative trend of data breaches increase, organisations are attributing breaches to the lack of security professionals (Drinkwater, 2015) and are scrambling to address the issue through extra expenditure on professionals (Peeler & Messer, 2015) and security (Morgan, 2015). The shortfall of qualified security professionals present organisations with a major challenge, the inability to secure systems against internal and external threats in line with the growing public notoriety of attacks. Over the last two years, there has been an increase in the cost of cybercrime and frequency of attacks (IBM/Ponemon Institute, 2015). Despite the increase in expenditure on security, the root cause of the issue remains with employees not adopting secure practices. As with previous years, the Verizon Data Breach Investigation Report 2015 highlighted that people account for 90% of incidents (Verizon Enterprise Solutions, 2015). Verizon states that for the category of insider misuse (intentional and Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 3. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 3 unintentional) is the top category for breaches. The report attributes insider misuse as trusted employees abusing their status for the sake of convenience (Verizon Enterprise Solutions, 2015). In fact, breaches due to end user compliancy extend across several categories including: social engineering, exploiting point of sale devices, web app attacks through end user devices, physical theft/loss occurring at the victim’s work area, and general user error (Verizon Enterprise Solutions 2015). Despite the increase in security expenditure, behaviours in employees are not changing (Verizon Enterprise Solutions, 2015). Compounded by the abundance of new technologies, CSO/CISOs will need to adapt their thinking from denying employees access to one of permitting with caution (Harkins, 2013). The need for information security leaders to guide employees into undertaking secure behaviours is critical to reducing the trend. Transformational leadership and the aspect of trust in information security leadership are two concepts that help contribute towards leading employees into adopting secure practices. Transformational leadership is the concept of aligning interests of the organisation and its employees through empowerment (Bass, 1999). Several concepts defined within transformational leadership serve to promote the internalisation of secure behaviours in employees. One concept promoting employee involvement could lead to the internalisation of organisational beliefs and providing a positive change to the organisation’s security posture (Bass, 1999). Trust is required to help facilitate the shift towards the transformational leadership model (Bass, 1999). Trust has many incarnations, all of which are critical to the success of an organisation, from minimising risk between working parties (Mayer, Davis, & Schoorman, 1995) to the potential of trust becoming a commodity that could be traded on the open market (Harkins, 2013). While the discussion of trust in this paper is focused on transformational leadership, the importance of trust in general, cannot be understated. This paper will Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 4. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 4 explore the deep relationship between trust and transformational leadership and how transformational leadership can be applied by information security leaders. Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 5. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 5 2. Trust: A Key Aspect for Leadership Development Trust is a fundamental element required for two parties to transact; without it, organisations will be plagued with problems. Parties could consist of two peers or in the context of this paper, a leader and a follower. Research completed by ToleroSolutions show that 45% of employees state that the lack of trust in leadership is the biggest issue affecting work performance (Morgan, J. 2014). To introduce the concept of Trust with respect to leadership, transformational leadership and its applicability to information security, we define trust in a qualitative form providing a means for discussion and assessment. To demonstrate the importance of trust in leadership development, we explore the following hypotheses: • the presence of trust is essential for leadership, • the current style of organisational leadership falls short at promoting an information security mindset in employees, and • trust is a foundation for transformational leadership. Finally, we merge the elements of trust and transformational leadership to examine them both in the context of information security and its potential application of transformational leadership in future information security leaders. 2.1. Quantifying Trust There are several key concepts and factors to consider when defining trust for assessment and the purpose of discussion. Trust is defined when the trusting party (trustor) is willing to be accountable to undertake a specific action passed from the trusted party (trustee); the specific action from the trustor is of importance to the trustee and the action being undertaken is made free of any scrutinizing or coercing (Mayer, Davis, and Schoorman, 1995). Importantly, in order to satisfy the definition of trust, an element of risk must be present in the action being undertaken (Mayer, Davis, and Schoorman, 1995). A follower that is willing to undertake a risky action must trust the leader and believe that the resulting action would benefit both parties. An example is that of a follower completing a Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 6. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 6 major change on behalf of the leader, which would improve the organisation, and the follower being recognized for their efforts. Bass defines trust as being between two individuals and not en-masse (Bass, 1999). Understanding this relationship is important. While a leader could present their trustworthiness to a group, ultimately it is the follower who sees the leader as being trustworthy. This paper will draw on the concepts above to highlight why trust is essential within organisations. 2.2. Organisational Leadership and Trust The principle of transactional leadership is centred on an exchange between one party and another in order satisfy the leader’s need (Kuhnert & Lewis, 1987). The resulting exchange would need to benefit both parties appropriately otherwise; inequalities within the transaction could lead to the withdrawal of the other party. An example of this is the inadequate remuneration from employers resulting in a high turnover of employees (Kuhnert & Lewis, 1987). Deficiencies in transactional leadership force organisations to seek other means to renumerate employees. Maslow defines a hierarchy of needs illustrating an individual’s requirement for survival and their standing within a particular social class (SANS Institute, 2013). According to the hierarchy, financial remuneration would satisfy the basic needs of an employee (SANS Institute, 2013). However, employees seeking to progress up Maslow’s hierarchy require other incentives in order to maintain motivation (SANS Institute, 2013). Leaders could use Maslow’s ideas to maintain motivation in followers. An example of maintaining motivation is through extrinsic motivation, where it is delivered through a reward or goal attainment and satisfies the higher level need for Esteem within Maslow’s hierarchy (SANS Institute, 2013). One example of the application of trust is where incentives are not immediately deliverable. For example, a successful organisation requires trust in a leader’s ability to deliver a bonus upon completion to avoid demotivating employees. Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 7. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 7 2.2.1. Importance of Trust within Leadership Regardless of leadership style, trust underpins several areas of leadership and is critical for the success of any leader. The success of a leader requires competency across several skill areas (SANS Institute, 2013), including and not limited to communication, innovation, motivation, team development. Trust is embedded into each skill area as it requires an interaction between the leader and a follower. Research conducted by Zeffane, Tipu & Ryan (2011) in the area of communication concluded that there is a strong relationship between communication, commitment and trust, with trust being key to the relationship. In fact, trust extends to other leadership skill areas, including and not limited to: innovation (Ellonen, Blomqvist, & Puumalainen, 2008), motivation (Gagné, & Deci, 2005) and team development (Spector, & Jones, 2004). The importance of trust in leadership is so paramount that Warren Bennis, a leader in organisational leadership, distilled four competencies of successful leaders, one of those competencies being trust (Bennis, 1993). This confirms the first hypothesis stating that trust is one of the most important traits that a leader must possess in order to lead employees within an organisation. 2.2.2. Limitations of the Current Forms of Leadership The present form of transactional leadership presents several issues, especially when Information Security is often perceived by senior management as a ‘non-core’ organisational function. An organisational function that does not deliver defined organisational benefits, such as financial or productivity benefits is defined as ‘Non- core’. While there is little research into the failures transactional leadership has on Information Security, we draw parallels with other perceived ‘non-core’ organisational areas. A study by Groves & LaRocca (Groves, & LaRocca, 2011) on a non-core organisational area, Corporate Social Responsibility (CSR), reveals several interesting Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 8. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 8 similarities. Their research on CSR compares transactional leadership along with transformational leadership. Firstly, it is important to discuss that a need for change stems from the public notoriety surrounding information security incidents. The parallel drawn relates to corporate scandals and the demise of businesses. Groves & LaRocca raises concerns behind the absence or weaknesses of CSR within organizations such as Enron, Lehman Brothers and Bear Sterns, leading to a major catastrophe (Groves, & LaRocca, 2011). A similar situation applies to information security where a disruption of organizational assets hosted on information systems could also lead to a major catastrophe. This is evident in numerous cases where organisations file for insolvency or have consequently shut down after a catastrophic security event, such as a breach: Diginotar (Zetter, 2011), Mt Gox (Takemoto, & Knight, 2014) and Altegrity (Fitzgerald, 2015). Secondly, as there is an associated cost with any interaction, transactional leaders focus on delivery and are not willing to go above and beyond the call of duty. The following quote noted the reluctance of transactional leaders promoting CSR: “research suggests that the transactional leadership process is based upon utilitarian values and reciprocity norms, which are unlikely to generate strong beliefs in stakeholder perspective on CSR.” (Groves, & LaRocca, 2011). As with the concept of CSR, employees are less likely to adopt information security best practices unless they are provided with an incentive or they are coerced. As non-core functions would incur an additional expense, there is reluctance for organisations to divert resources away from core activities. Reluctance is further exacerbated within organisations bound by limited budgets or resources. With this thought, a transactional leader would very difficult to instil a culture of security within the organisation. While no data is available supporting theories that a poor security culture in organisations is due to transactional leadership shortcomings, there is historical data demonstrating that organisational change is required to promote information security. Verizon stated that over 11 years, breaches attributed to employees continue to count for the majority of data breaches (Verizon Enterprise Solutions, 2015). Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 9. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 9 The correlation between CSR and information security serves to hold the second hypothesis stating that the current form of leadership is inadequate to promote a strong information security mindset in employees. Just as there is an important requirement for CSR within organisations to promote ethical values, the same requirement could be expressed for information security. 2.3. The Importance of Transformational Leadership While transactional leadership has its place to serve the lower needs of Maslow’s hierarchy, the limitations found in transactional leadership could be addressed through the introduction of transformational leadership (Bass, 1999). Transformational leadership is the leaders’ ability to motivate people to want to change, improve and to be led (Hall, Johnson, Wysocki & Kepner, 2002). This differs from transactional leadership, where the leader focuses on delivery, contrasting with transformational leadership, where the leader focuses on empowering followers (Bass, 1999). The power of transformational leadership is realised as followers take ownership for the success of an organisation. This behaviour is best observed in a cooperative organisation, where all members have a vested interest and their personal actions contribute to the success of the organisation. Core to transformational leadership are four factors known as the ‘four I’s’: idealized influence, inspirational motivation, intellectual stimulation and individual consideration (Hall, Johnson, Wysocki & Kepner, 2002). 2.3.1. Developing a Leader Through Trust and Transformational Leadership As with transactional leadership, trust also has a strong presence within transformational leadership. This section will provide evidence that trust is rooted within the ‘four I’s’ —the essential foundations for transformational leadership. Leaders possessing idealised influence are trusted to make good decisions that benefit the organisation (Hall, Johnson, Wysocki & Kepner, 2002). Explained below, Mayer et al’s (1995) definition of trustworthy aligns the relationship between trust and Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 10. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 10 idealised influence. Mayer, et al, deconstructs trustworthiness down to three main factors: ability, benevolence, and integrity. Ability requires the leader to be skilled in a particular domain (Mayer, Davis, and Schoorman, 1995). Without the appropriate skills, the leader could not make good decisions for the organisation. Benevolence is the leader’s capacity to want to be able to perform with the best interests of the organisation (Mayer, Davis, and Schoorman, 1995), aligning with the definition of idealised influence. Finally, integrity is the alignment and adoption of a set of principles (Mayer, Davis, and Schoorman, 1995), where the leader is aligned with the organisation that they are accountable to and reflects their values. The ability to motivate employees to commit to the vision of the organisation is defined as Inspirational motivation (Hall, Johnson, Wysocki & Kepner, 2002). It is important to note that motivation is not maintained through further incentives rather, motivation is maintained by ensuring that employees are not de-motivated (SANS Institute, 2013). Through intrinsic motivation, a leader allows a follower to undertake important tasks in order to avoid de-motivation (SANS Institute, 2013). Important tasks used as motivators are defined by Herzberg to include responsibility and job challenges (SANS Institute, 2013). The follower assumes ownership of the task and possesses the inclination to complete it with additional attention (SANS Institute, 2013). In doing so, the leader bears risk by trusting the follower to undertake the task (Mayer, Davis, and Schoorman, 1995). Conversely, Mayer et al, noted that an organisation with low trust leads to increased monitoring of employees which creates a demoralizing effect that could result with employees striking back, establishing a tit-for-tat environment (Mayer, Davis, and Schoorman, 1995). Intellectual Stimulation defines leaders who encourage creativity through intellectual challenges (Hall, Johnson, Wysocki & Kepner, 2002). To illustrate trust for the criteria of Intellectual Stimulation, research from Ellonen et al, shows that trust Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 11. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 11 through foundations established by the organisation is a major contributor in promoting a culture of innovation (Ellonen, Blomqvist, & Puumalainen, 2008). Ellonen et al relates reliability to Mayer et al’s definition of integrity where reliability in leadership supporting innovation is ‘critical’ to steer innovation (Ellonen, Blomqvist, & Puumalainen, 2008). Individual consideration defines leaders as mentors helping followers achieve mutual organisational and personal goals (Hall, Johnson, Wysocki & Kepner, 2002). When aligned with a common vision, both the leader and the follower work together to achieve a common goal. A trustworthy leader will possess the ability to lead within the follower’s domain, demonstrating to the follower that the goal is also for their benefit (Mayer, Davis, and Schoorman, 1995). The common vision can build trust in two ways: between followers towards the organisation and also between leadership and their followers. Building trust between followers and the organisation occurs by training managers on how to empower followers to take initiative and to operate autonomously (Gagné, & Deci, 2005). Secondly, leaders that are trustworthy possess ability, benevolence and integrity. These traits are important for leaders to mentor followers benefiting both the follower and the organisation (Mayer, Davis, and Schoorman, 1995). The presence and importance of trust within the four I’s satisfy the third hypothesis that trust is required in transformational leadership. 3. Developing Information Security Leaders through Transformational Leadership There is evidence that transformational leadership has a place in the development of information security leadership to instil a culture of security within an organisation. Harkins applied several transformational leadership concepts during his tenure as Intel’s first CISO. Harkins defined information security professionals as being in the “behaviour modification business”, indicating that security professionals must change behaviour in Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 12. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 12 order to improve the organisation’s security posture (Harkins, M. 2013). This resonates with the core of transformational leadership. Information Security leaders must develop their organisations beyond the basic level of compliance to avoid being susceptible to compromise. By making the organisation more aware of the threats, their security posture increases beyond that of compliance alone (Harkins, M. 2013). To achieve this, Harkins seeks to move from employees possessing ‘compliant’ behaviour over to ‘committed’ behaviour (Harkins, M. 2013), similar to what Groves, & LaRocca pointed out with respect to CSR (Groves, & LaRocca, 2011). Harkins realizes the pitfalls with current styles of information security leadership and he encourages leaders to establish a ‘process’ to lead employees to adopt a personal stake in information security (Harkins, M. 2013). He defines ‘committed behaviour’ as being able to define an emotional relationship with security, such that employees will act beyond their call of duty (Harkins, M. 2013). Harkins’ definition of ‘committed’ behaviour is in line with the core of transformational leadership, adopting the same approach where leaders possess the ability to get people to change, improve and be led (Hall, Johnson, Wysocki & Kepner, 2002). Applications of Transformational Leadership through the concepts defined by the four I’s and the requirement for trust is seen in Harkins’ leadership style. Influencing employees to adopt secure behaviours at work and at home requires Harkins to possess Idealised Influence. The reason Harkins is seen by Intel as trustworthy is because he demonstrates that he is a champion within the information security domain, performing with the best interests of all parties and adopting principles, which are aligned with the organisation (Harkins, M. 2013). Harkins was quoted as saying, “If employees trust us, they are more likely to believe our warnings and act on our recommendations” (Harkins, M. 2013). This highlights the importance of trust in Information Security leadership. One demonstration of Idealised Influence is the fact that Harkins elevates himself to serve as a role model for security within Intel. He achieves this through frequent communication with managers about information security (Harkins, M. 2013). When Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 13. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 13 noticing an increase in laptop theft resulting in the loss of information, Harkins highlights the thefts to managers with the aim to reduce losses (Harkins, M. 2013). With respect to information security, the positive response from Intel employees during a HR survey was an example of Inspirational motivation. The survey commissioned through an external organisation on behalf of Intel HR was thwarted when employees mistakenly reported it as a phishing attempt to the security team (Harkins, M. 2013). An application of Intellectual Stimulation is demonstrated within Intel through permitting the use of personal devices for corporate use. Through the mantra ‘protect to enable,’ Harkins aligns information security with Intel’s organisational culture which promotes innovation (Harkins, M. 2013). By challenging traditional information security beliefs regarding the use of personal devices in the organisation, Harkins has permitted the use of personal devices for corporate use (Harkins, M. 2013). Harkins states that, as employees are the owners of the device, employees will take better care of devices (Harkins, M. 2013). This innovative thinking resulted in reducing the loss of devices, thus also reducing the instance of data loss (Harkins, M. 2013). Another success story combining trust and aspects of transformational leadership involves the exchange of threat information with other organisations. Legal and competition threats makes the exchange of threat information to be a high risk move. Intellectual Stimulation through innovation allowing the exchange of threat information has enabled Intel to gain valuable insights in several areas, such as best practices for managing security operations (Harkins, M. 2013). This can only be achieved by promoting both Intellectual Stimulation and Individual Consideration. Highlighting the importance of trust, Harkins adopts a sliding scale where, the more trustworthy the external organisation is, the higher the sensitivity of the information that can be shared (Harkins, M. 2013). Likewise, organisations must place a lot of trust in Harkins and Intel before exchanging information with them. Relating threats directly to an individual’s personal life invokes a sense of Individual Consideration, where leaders help followers achieve mutual goals that benefit both the individual and the organisation (Hall, Johnson, Wysocki & Kepner, 2002). In Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 14. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 14 one example, Harkins states that he taps into an individual’s emotions in order to highlight the importance of security (Harkins, M. 2013). Further to this, he carries this theme on to other aspects of personal life such as keeping children safe online and tips for wireless security at home (Harkins, M. 2013). Importantly, Harkins recognises the need to align organisational and personal values in order to create trust (Harkins, M. 2013). The combination of these factors has provided Intel with a strong security posture. One example of this can be seen through the physical loss of laptops. Harkins states that the loss was less than 1% annually over several years, significantly lower than the industry standard of 5-10% annually (Harkins, M. 2013). Relating transformational leadership to efforts as demonstrated by Harkins and his initiatives in Intel, future information security leaders could benefit immensely from adopting transformational leadership and creating a culture of trust. 4. Conclusion Trust is the core to creating successful information security leaders. Empowering followers through trust and transformational leadership is a powerful means to increase an organisation’s information security posture. Powerful benefits, such as autonomy, development and intrinsic motivation amongst followers, aid both the organisation and the individual. Trust is the catalyst to facilitate the adoption of these benefits. 5. Further Research Applications of transformational leadership have the potential to promote further proactive behaviours, such as adopting secure development mindsets and developing detective behaviour. While this paper examine components of transformational leadership applied within one organisation, further research could investigate other organisations to see if transformational leadership has been applied with success within the realm of Information Security leadership. Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 15. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 15 Conversely, while this paper focuses on the benefits trust has on leadership and information security, the absence of trust provides an opportunity for further research. Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 16. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 16 References Bass, B. M. (1999). Two decades of research and development in transformational leadership. European Journal of Work and Organizational Psychology, 8(1), 9- 32. doi:10.1080/135943299398410 Bennis, W. G. (1993). An invented life: Reflections on leadership and change. Reading, MA: Addison-Wesley Pub. Co. Drinkwater, D. (2015, April 16). Cyber-security pros blame breaches on skills gap. Retrieved Sep 26, 2015 from http://www.scmagazineuk.com/cyber-security-pros- blame-breaches-on-skills-gap/article/409393/ Ellonen, R., Blomqvist, K., & Puumalainen, K. (2008). The role of trust in organisational innovativeness. European Journal of Innovation Management, 11(2), 160-181. Federal Bureau of Investigation. (2015, August 11). FBI — Nine people charged in largest known computer hacking and securities fraud scheme. Retrieved Sep 26, 2015 from https://www.fbi.gov/newyork/press-releases/2015/nine-people- charged-in-largest-known-computer-hacking-and-securities-fraud-scheme Fitzgerald, P. (2015, August 20). U.S. settles whistleblower suit against Altegrity. Retrieved Oct 10, 2015 from http://www.wsj.com/articles/u-s-settles- whistleblower-suit-against-altegrity-1440090102 Gagné, M., & Deci, E. L. (2005). Self-determination theory and work motivation. Journal of Organizational behavior, 26(4), 331-362. Groves, K. S., & LaRocca, M. A. (2011). An empirical study of leader ethical values, transformational and transactional leadership, and follower attitudes toward Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 17. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 17 corporate social responsibility. Journal of Business Ethics, 103(4), 511-528 doi 10.1007/s10551-011-0877-y Hackett, R. (2015, August 26). Ashley Madison hack: Everything to know. Retrieved Sep 26, 2015 from http://fortune.com/2015/08/26/ashley-madison-hack/ Hall, J., Johnson, S., Wysocki, A., & Kepner, K. (2002, June). Transformational leadership: The transformation of managers and associates. Retrieved Sep 19, 2015 from http://edis.ifas.ufl.edu/hr020 Harkins, M. (2013). Managing risk and information security: Protect to enable. New York: Apress. IBM/Ponemon Institute. (2015, May). IBM 2015 Cost of data breach study. Retrieved Sep 19, 2015 from http://www.ibm.com/security/data-breach Kaspersky Lab. (2015, February 16). The great bank robbery: The Carbanak APT. Retrieved Sep 19, 2015 from https://securelist.com/blog/research/68732/the- great-bank-robbery-the-carbanak-apt/ Kuhnert, K. W., & Lewis, P. (1987). Transactional and transformational leadership: A constructive/developmental analysis. Academy of Management review, 12(4), 648-657. Mayer, R. C., Davis, J. H., & Schoorman, F. D. (1995). An integrative model of organizational trust. Academy of Management Review, 20(3), 709-734. Morgan, J. (2014, September 11). Trust in the workplace: What happened to it, and how do we get it back. Retrieved Nov 23, 2015, from http://www.forbes.com/sites/jacobmorgan/2014/09/11/trust-in-the-workplace- what-happened-to-it-and-how-do-we-get-it-back/ Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 18. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 18 Morgan, S. (2015, July 9). Worldwide cybersecurity market continues its upward trend. Retrieved Sep 26, 2015, from http://www.csoonline.com/article/2946017/security-leadership/worldwide- cybersecurity-market-sizing-and-projections.html Nakashima, E. (2015, July 9). Hacks of OPM databases compromised 22.1 million people, federal authorities say. Retrieved Sep 26, 2015 from http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/09/hack-of- security-clearance-system-affected-21-5-million-people-federal-authorities-say/ Peeler, J., & Messer, A. (2015, April 17). (ISC)² Study: Workforce shortfall due to hiring difficulties despite rising salaries, increased budgets and high job satisfaction rate. Retrieved Sep 26, 2015 from http://blog.isc2.org/isc2_blog/2015/04/isc-study-workforce-shortfall-due-to- hiring-difficulties-despite-rising-salaries-increased-budgets-a.html SANS Institute. (2013). MGT514.5: Leadership and management competencies. Author. Spector, M. D., & Jones, G. E. (2004). Trust in the workplace: Factors affecting trust formation between team members. The Journal of social psychology, 144(3), 311-321. Takemoto, Y., & Knight, S. (2014, February 28). Mt. Gox files for bankruptcy, hit with lawsuit. Retrieved from http://www.reuters.com/article/2014/02/28/us-bitcoin- mtgox-bankruptcy-idUSBREA1R0FX20140228 U.S. Securities and Exchange Commission. (2015, September 22). Investor alert: Identity theft, data breaches and your investment accounts. Retrieved Sep 26, Ed Yuwono;Ed.Yuwono.MSISM at gmail.com
  • 19. The Importance of Trust for Developing Tomorrow’s Information Security Leaders 19 2015 from http://www.sec.gov/oiea/investor-alerts- bulletins/ia_databreaches.html Verizon Enterprise Solutions. (2015, July 9). 2015 Data Breach Investigations Report (DBIR). Retrieved Sep 19, 2015 from http://www.verizonenterprise.com/DBIR/2015/ Walder, N., Stempel, J., & Ax, J. (2015, August 12). Hackers stole secrets for up to $100 million insider-trading profit. Retrieved Sep 27, 2015 from http://www.reuters.com/article/2015/08/12/us-cybercybersecurity-hacking- stocks-arr-idUSKCN0QG1EY20150812 Zeffane, R., Tipu, S. A., & Ryan, J. C. (2011). Communication, commitment & trust: Exploring the triad. International Journal of Business and Management, 6(6), 77-87 Zetter, K. (2011, September 20). DigiNotar files for bankruptcy in wake of devastating hack. Retrieved Oct 17, 2015 from http://www.wired.com/2011/09/diginotar- bankruptcy/ Ed Yuwono;Ed.Yuwono.MSISM at gmail.com