Leadership is a fascinating subject with many implications on our daily lives. For me, the purpose of reading the 159 page book, titled “Managing Without Leadership: Towards a Theory of Organizational Functioning”, by Gabriele Lakomski was to understand the role of leadership from a cyber security perspective, and how organizations should think about creating and building cyber security functions.
Traditionally, most of the advice provided to create cyber security functions within organizations follows a top-down approach to organizational layout. Here is an example from a Microsoft blog post in 20201.
The idea is that you consult the leaders of the organization, and from there, you engage in risk management processes. From these risk management processes, you drive a set of controls (generally surfaced via policy and standards) that are to be applied within the organization. Your technical security functions, such as architecture, and then tasked with implementing “security” into your organization across the various levels/views. These levels and views can be as abstract as “people” to as specific as “infrastructure and endpoint”. Bolt on some monitoring and plan for incidents, and you now have a half-ish loop that should provide some security benefit to your organization.
This traditional top-down model has never sat well with me for various reasons. When considering leadership within the context of cyber security, important questions emerge. Who are the leaders that we should be consulting from a risk management perspective? Can there ever be a “leader” that “knows-all” when it comes to risks of an organization? Can “leaders” actually control and organization to infuse cyber security into operations within this top-down view of cyber security? Is this top-down view of cyber security functions actually effective?
I think we can safely answer the last question posed. It is not. Organizations large and small are hacked on the daily, and it would be safe to assume that most follow these traditional views to various extents. The rest of the questions involve actually understanding what leadership means in the organizational context, which was the purpose of the book. I will do my best to summarize the key points the book makes.
- Any theory of leadership needs to be grounded in our natural ways of learning. More specifically, the theory of leadership needs to take into account how leaders actually learn to be leaders.
- Current theories of leadership are empirical in nature, and have been “proven” using the hypothetico-deductive methodology. Since our human observations are always theory-laden, we cannot actually attribute “leadership qualities” to “leaders”.
- Further, concepts such as “values” can not be observed directly, and so, researches turned to creating operational definitions and matched observations against those definitions. They ignored that these operational definitions could “come-about” via different mechanisms than the traditional view of leadership
- Traditional views of leadership are based in the traditional symbol-manipulation (language) view of learning, which we know to not be true. Sub-symbol processing is key to our knowledge
- Adopting concepts around human cognition seems a better fit to explain how organizations function then the traditional view of leadership. Organizational culture, described in terms of cognitive processes, better explain the emergence of “leadership qualities” within organizations
- “The centralized mindset is a mere fiction, although it seems to serve some people’s purposes well some of the time” (page 142)
Obviously I’m missing quite a bit from the summary above, but the point is that what we see as “leadership” within an organization can be explained by more than just the traditional top-down model. These other “bottom-up” views provide a more coherent explanation for what is actually going on, or …. better yet … how an organization actually functions. It is not that leadership does not exist, it is that we need to take an expanded view of leadership that extends beyond “the skull” of any one individual.
What does this mean for cyber security?
For me, this book has provided the foundation for thinking about cyber security differently within organizations. Making use of both top-down and bottom-up approaches and using cognitive processes as a blueprint for organization functioning makes a lot of sense. One way to think about this is understanding that there is so much that goes on, from a human perspective, that we are not conscious of and may never be conscious of. We can, however, turn our awareness towards some of these processes to bring them into light. Further, we are probably aware when anomalies occur and focus our attention. An analogy here is walking. I am probably not conscious of all the technical details that go into moving my foot for the next step, but I would definitely be aware of my step if I stubbed my toe. Skipping a lot of steps and thoughts here (this is a blog post after all), I’m wondering if these new views of leadership can help us organize cyber security within organizations better, to achieve better outcomes.
For example, maybe there is a natural division here. Centralized cyber security functions are for organizational audit/monitoring/exception management only, and the rest of cyber security (real security) is embodied and embedded within various levels of the organization. These centralized/de-centralized functions are connected and integrated, allowing for the co-evolution of both functions in parallel. Security then becomes an application of abstract concepts to context-specific situations (by teams) with an output of reporting/monitoring to the organization.
What does this mean in practice? Well, a lot actually. The specifics of how, where, and who is responsible for security shifts in meaningful ways within the organization. An area worth exploring in the future.