Feature Articles » Leadership and Risk Management In IT Security: How to Guide an IT Security Team in a Complex Organization

Leadership and Risk Management In IT Security: How to Guide an IT Security Team in a Complex Organization

By John Stambelos and Erik Rasmussen

December 2, 2022

Enterprise Risk Management (ERM) or Governance, Risk and Compliance (GRC)?

John Stambelos is the CIO at the Quinn Emanuel Urquhart & Sullivan. He manages the firm’s IT operations, and helps support key client relationships by working directly with their representatives during frequent IT security assessments. Before joining Quinn Emanuel, he was the founder of a cybersecurity consulting firm that helped its clients investigate large-scale data security breaches and implement strong cybersecurity programs. He was also the senior technology executive for California-based Munger, Tolles & Olson for 15 years, and a senior member of the IT leadership team for Chicago-based Katten, Muchin Rosenman for more than a decade before that. johnstambelos@quinnemanuel.com

Erik Rasmussen is a Principal at Grobstein Teeple, LLP (“GT”) and the global head of the cybersecurity and risk management solutions practice. He is also the lead on handling any internal security matters for the firm. He is an active attorney in Washington State and has almost 18 years of experience in cyber security and enforcement. Prior to joining GT, Rasmussen was a Managing Director at a global risk management firm where he led a team of cyber security experts. For more than 9 years, he was a Special Agent with the Secret Service, where he conducted dozens of domestic and international computer crimes investigations. erasmussen@gtllp.com

It is no surprise that organizations struggle to implement “reasonable” IT security controls. The term “reasonable” is vague, but “IT security controls” are a blend of tooling and skills used to reduce organizational risk. Implementing these controls requires determined leadership.

So which controls work and how does a leader ensure they are implemented? The answer depends on your IT leaders’ ability to correctly interpret IT policies.

Too often, there is a gap between what is written in IT policies and what is actually implemented. Closing these gaps is the function of the general counsel. Having poorly written or inconsistently implemented policies can actually be worse than having no policies at all. You never want to discover that your written policies are misaligned with your controls during a crisis. You must have confidence that written controls are demonstrably implemented. Eliminate anything that is not.

Organizations must winnow their written IT security policies to rid themselves of aspirational statements and maintain a core set of “must-have” policies, the most important of which is an organization’s log retention policy. It is impossible to assess the impact of a data breach — especially whether data was exfiltrated — without sufficiently detailed and immutable machine logs. Retaining accessible and immutable logs is an essential part of any reasonable IT security controls.  

Device logs are not always retained according to an organization’s written retention policies. Worse, retention periods may even be inconsistent between devices. We advise clients to retain logs for at least six months and preferably one year; most data breaches begin months before being detected.

Your IT security team must work with you to ensure organizational risk management goals are actually implemented in the underlying technology. But, IT teams are heavily task-oriented. They require a leader who understands the subtle distinction between leadership and management.

Most senior IT staff face a difficult career choice at some stage of their professional development: do they continue to hone their technical skills or become a leader? Once becoming a leader, they often lose technical skills as they grapple with new management responsibilities. 

Organizations overemphasize management skills over leadership skills. We think the distinction between the two is a vital part of developing an adaptive IT security team able to implement your written IT policies. But, IT security team leaders often focus on device configuration management, rather than understanding how that device fits into the organization’s broader risk management objectives. Helping distinguish between the two is the role of a leader. 

It’s vital that the general counsel guide emerging IT security leaders as they cultivate their own leadership philosophies. Help them to align their leadership philosophy with the organization’s risk management objectives. 

What kind of leader they become is critical to their ability to build a competent team. For example, are they an inclusive leader? A situational leader? A principled leader? Or are they still trying to retain their technical skills? Your guidance here cannot be understated.

Developing a leadership philosophy will help them guide their technical teams during a crisis to make informed risk management decisions before you become involved. 

Next, consider circulating regular questionnaires to your IT security team, such as the Leadership Trait Questionnaire. It’s vital that you gain a nuanced understanding of which characteristics help them function better. The general counsel can help cultivate IT security leadership by spotting staff members who exhibit initiative and a desire to gain a deeper understanding of an organization’s risk management goals. IT staff who seek professional certifications might be encouraged to consider honing their leadership skills. 

Help to create a professional development plan and protected time so they can pursue certifications. Consider rewarding their initiative with team leadership. 

IT security professionals are in extraordinarily high demand. Despite possessing complex technical skills, they often struggle to glean an organization’s risk management objectives. Guiding technical staff to make day-to-day risk management decisions is the job of a leader. 

Everyone may not agree on whether management or leadership is more important. But, it is essential to empower IT security leaders to make daily risk management decisions which require judgment and intuition.  Those decisions must be aligned with the organization’s written policies and risk management goals. The more leaders learn about organizational goals, the better equipped they are to make those day-to-day judgment calls about risk. And that affects everyone. 

Must read intelligence for general counsel

Subscribe to the Daily Updates newsletter to be at the forefront of best practices and the latest legal news.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top