Close filter
Cyber Security

Twitter Hack Underscores Need for CISOs with People Skills

Beyond safeguarding systems, cyber leaders must create a culture of security

  • July 2020

The recent Twitter hack shows that companies must continue to bolster the most critical part of their security infrastructure—their workforce. While cybersecurity professionals have been sounding the alarm about the threat of social engineering for a while, most cybersecurity programs focus on the technical aspects of the job—securing a company's systems and products. As companies become more technically secure, they must also become more secure in terms of their workforce. This requires strong leadership and engagement skills from cybersecurity professionals.  
 
The Twitter hack demonstrates the existential threat security vulnerabilities among employees can represent to a company, striking at the heart of customers’ trust that their information is secure and that the people behind a Twitter account—particularly high-profile people and entities—are who they say they are.
 
At Egon Zehnder, we have seen a steady increase in appreciation for these people-centric cybersecurity skills. Leaders across industries have been asking us to help them find Chief Information Security Officers (CISOs) who know how to collaborate across business units and assist in achieving business objectives, as opposed to simply acting as a technical rule enforcer— what we call a “Dr. No” CISO. 
 
The next step in this direction is to seek CISOs who can drive fundamental cultural change across an entire company and foster a culture of security. The ability to do this requires well-developed leadership and engagement skills, and the programs used to foster such a culture will demand more than regular, perfunctory security briefings.
 
When I reflect on this breach, I am reminded of my time in the military, which has had to deal with persistent, determined efforts to steal its information in the form of espionage. The military responded to this threat by training service members from the moment they enter the service to learn what espionage looks like so they can recognize solicitation by a spy at the earliest stage, know how to respond to the attempted coercion, and where to report it. The annual briefings could have come across as stale and superficial, but the military livened them up with real stories of spies and the damage they had done to the United States. This training permeates the workplace, for example, posters around the bases. Troops stationed overseas even see regular “infomercials” on the Armed Forces Network television station, hammering the principles home. Far from simply an annual requirement, awareness of the espionage threat is ingrained in the workforce.
 
As my friend Eric O'Neil (who helped take down one of the first cyber spies, Robert Hanssen) likes to say, “There are no hackers, only spies,” to illustrate the point that hacking is simply the natural evolution of espionage. Companies could learn a lot from the military, which has faced the persistent threat of espionage forever and has developed programs, however imperfect, to foster a universal culture of security. This will require cybersecurity professionals who take a comprehensive approach to security, recognizing that the mighty fortresses they build will never stop a determined attacker who convinces someone on the inside to let them in the back door. A stronger focus on the human element will help keep that back door shut and locked.

Topics Related to this Article

Changing language
Close icon

You are switching to an alternate language version of the Egon Zehnder website. The page you are currently on does not have a translated version. If you continue, you will be taken to the alternate language home page.

Continue to the website

Back to top