5 areas IT leaders should be followers

A leader considers her strategy / lightbulb / circuits / digital transformation / success
Metamorworks / Getty Images / Thinkstock

Enterprise leadership is not only knowing how to lead, but when to follow.

Recent events have demonstrated that sometimes, to lead is to follow. Here are five key areas when following is the path to great leadership.

1. Mobile security

The single richest target for mobile cyberattacks is the c-suite, according to a report from MobileIron called "Trouble at the Top" (and also according to common sense).

If targeted socially engineering attacks via email and SMS aimed at employees can be described as a "spear phishing attack" or "phishing attack," those targeting high-level executives is a "whaling" attack. As in a big-fat target.

Enterprise leadership is not only knowing how to lead, but when to follow.

Recent events have demonstrated that sometimes, to lead is to follow. Here are five key areas when following is the path to great leadership.

1. Mobile security

The single richest target for mobile cyberattacks is the c-suite, according to a report from MobileIron called "Trouble at the Top" (and also according to common sense).

If targeted socially engineering attacks via email and SMS aimed at employees can be described as a "spear phishing attack" or "phishing attack," those targeting high-level executives is a "whaling" attack. As in a big-fat target.

Top executives tend to carry and have access to higher-value data. They also tend to have the most relaxed attitudes toward mobile security, according to MobileIron. Such executives find mobile security protocols frustrating, limiting and confusing.

Leadership and authority means that the c-suite has the power to ignore security protocols -- using unsupported devices and apps and skipping multi-factor authentication, to name just a few examples. But this is a mistake, and a common one.

Leadership doesn't confer expertise. It simple means that your own personal mobile security tools and practices need to be at least as strong as other employees, or you become the perfect target -- easier to hack and more profitable to breach.

So when it comes to tools, policies and practices for mobile devices, enterprise leaders need to follow the lead of security specialists in the company -- and show all employees that security systems are for all employees, no exceptions.

2. Password policy

A few years ago, I was leading a brainstorming session among IT leaders and security specialists. One of the participants was the security lead for a major metropolitan court system. One of his first initiatives upon taking the position was to fix their almost non-existent password policy, which included requiring strong passwords.

One judge -- whose password for accessing the court system, including court records, was something like "password123" -- simply refused to use a strong password or even change his weak password for another weak password. He just didn't want to and flat-out refused.

Since no one overruled the Judge -- an exception was made so he could continue to use his easy-to-guess password (which he no doubt used elsewhere as well). This failure of leadership -- this unwillingness to follow -- exposed the community's legal system to a catastrophic privacy breach.

He did this because he was a bad judge -- or, at least, was a man capable of bad judgement -- and a weak leader.

Leadership in this case is to follow the password rules like everyone else.

3. Security spending

Ok, you still need to lead and not follow on this one.

But it's time to take the recommendations of security specialists in your organization more seriously when they recommend security budgets.

Gartner says spending on information security may increase only 2.4% this year, down from previous projections of 8.7% (total 2020 security spending is expected to exceed $123 billion). Cloud security spending is expected to grow 33.3% this year. It's not clear whether these predictions represent some companies increasing spending and others going out of business. We'll find out eventually.

Of course, every organization has a different calculation to make on budgeting for cybersecurity, taking into account existing infrastructure, number of employees, the nature of the specific industry, the risks business impacts of such spending and deployment.

In a world where coronavirus crisis has forced an acceleration of digital transformation, as well as other trends that include remote work. The attack surface of the average organization has suddenly increased. Both digital transformation and remote work increase cyber risk.

The crisis has also been accompanied by (or driven) a rise in attacks. DDoS attacks are way up (fewer attacks, but their complexity and size are much greater than in previous years). Mobile phishing attacks are way, way up. Attacks that targets work-from-home employees are through the roof (well, through consumer ISPs, anway). Cybercriminals are exploiting the pandemic.

Attacks are on the rise. The cost of attacks are on the rise. The risks are on the rise. Cybersecurity spending and IT infrastructure spending should reflect all this.

Many companies are cutting back drastically. The easy places to cut in the short term for most organizations are business travel, office space and executive bonuses. The hardest way to cut is layoffs and the closure of business units. But the must unwise place to cut is cybersecurity.

Listening to the budget recommendations of the security specialists in your organization requires real leadership because if the higher spending stops catastrophic attacks, you'll never get credit for it. The spending will seem unnecessary because you'll never know the extent of the damage prevented. However, if you ignore the requests and slash the security budget and you're unfortunate enough to be hit with a catastrophic attack that could have been averted, you'll definitely get the blame.

4. Pandemic response

Responding to this pandemic, future pandemics or any society-wide crisis or natural disaster requires creativity, empathy, transparency and decisive action. But a pandemic is no time for iconoclastic decision-making.

Public health officials and pandemic-response leaders are detailing guidelines, best practices and rules for how to protect society from viral infections. And to be a good leader during a pandemic is to stay current with and follow these rules.

More than that: Show by example (even if it feels symbolic). Wear a mask. Enforce and participate in social distancing rules. Enable and maximize work from home policies. Stay closed when the advice is to stay closed and don't open until the advice is to open.

The coronavirus crisis is one that threatens public health, and also threatens public mental health. This is the best time for role modeling -- to model self-care in support of your employees physical and mental health.

In short, leading your company, department or team during a pandemic means helping public health officials lead.

5. Employee-initiated philanthropy or advocacy

Sometimes social causes, charities, philanthropies or other good works seize the imagination of a critical mass of employees, and they start organizing to support it with actions or fundraising.

The response to this by leadership can be one of three general directions: 1) Resist or suppress it; 2) take no action; 3) join and support from a leadership position.

While it’s a great idea for leaders in the company to develop causes to support, these also come from employees, too. And when the cause is compatible with the values of the organization, the best response is to support materially by offering resources, time and money to support the cause.

We live in troubled times. Now is the time to step up and lead. And great leaders know how and when to lead. And they know when to follow.