Leadership Perspective: Four Methods for Cyber Leaders to Produce More with Minimal Resources
Phillimon Zongo, co-founder and head of Cyber Leadership Institute, a rapidly expanding network of cyber leaders from more than 50 different countries.*
Struggling economies are forcing organizations worldwide to decrease cybersecurity budgets, lay off personnel, and halt new hires and promotions. According to the 2024 ISC2 Cybersecurity Workforce Study, which surveyed 15,852 international professionals and decision-makers, "25% of respondents reported layoffs in their cybersecurity departments, a 3% increase from 2023, while 37% faced budget cuts, a 7% increase from 2023." These reductions have significant effects on cybersecurity teams' capacity to protect the organization.
In the following section, I present five tried-and-true strategies for chief information security officers (CISOs) to maintain cyber resilience despite shrinking budgets, based on my experience as a virtual CISO and collaborating with numerous cyber leaders.
Focus on hiring diversity.
CISOs should resist the temptation to hire direct reports who always agree with their ideas. Instead, cultivate a vibrant culture where staff are encouraged to challenge misaligned cybersecurity strategies. Allocate a restricted budget to hire skills that complement blind spots and rapidly build transformation momentum. Diverse teams, as research shows, frequently reexamine facts and remain impartial. Additionally, they hold one another accountable, preserving their collective cognitive resources and vigilance. This reduces waste and ensures small teams concentrate on what is most important.
Encourage a culture where staff feel respected.
To sustain cyber resilience as budgets shrink, instill the right cultural attitude at the top level. This necessitates dismantling hierarchical structures that hinder innovation and staff participation. Consider occasionally visiting your staff's desks and asking if there is anything your team could improve. Encourage your team to share their thoughts on cyber resilience strategies to ensure that frontline staff feel involved and part of a strategy they helped create, rather than one imposed upon them.
Consider replacing the proverbial stick with the carrot. One approach is implementing monthly Cyber Hero awards, allowing cybersecurity staff to nominate peers who go above and beyond in upholding the values of the cyber transformation program. These can then be recognized during company-wide town hall events, disseminating key cyber transformation messages throughout the organization. CISOs should also avoid using the term "I" to emphasize that they are not saviors and that success results from a shared vision and collective effort, not solo contributions.
It's also essential to continuously challenge established practices. For instance, why require technical staff to spend four days a week in the office and waste valuable commuting time, only to be confined to their screens addressing security incident tickets when they could be equally effective working from home?
Foster teamwork and collaboration.
Michael Jordan, the six-time NBA champion and one of the greatest athletes ever, correctly stated, "Talent wins games, but teamwork and intellect win championships." This maxim remains true in cybersecurity as in sports. Sustained transformation requires cyber leaders to actively promote psychological safety—a deep-rooted belief that their teams are encouraged to innovate, make mistakes, and learn from them without fear of repercussions. Staying ahead of cyber threats with dwindling resources necessitates highly motivated teams that cohesively navigate challenging moments. While individual accomplishments should be celebrated, CISOs should focus on departmental performance indicators (KPIs) and acknowledge staff who promote teamwork and contribute to broader goals.
However, no CISO can sustain a collaborative culture without identifying and removing toxic individuals. These are high-performing, technically skilled individuals who take credit for others' successes, dismiss opposing ideas, and prioritize their own accomplishments over everything else. It's crucial to sever ties with these types of employees before they negatively impact team morale.
Eliminate unproductive projects.
Let's be honest: Most cybersecurity teams are swamped with sacred cow projects—programs that have outlived their usefulness and exceed their budgets, but are considered untouchable or immune to scrutiny. But leadership in cybersecurity demands courage—the ability to eliminate unnecessary security projects (such as "achieving zero trust by 2025") and allowing the team to focus on specific and high-impact projects with measurable outcomes.
Equally crucial is to direct limited resources towards high-impact, clearly defined, and measurable initiatives. By simplifying cybersecurity objectives in business-related language, reiterating the larger purpose, and associating individual and team KPIs with business objectives, you provide your team with a clear focus and a heightened sense of purpose.
For example, transforming the ambiguous KPI "Facilitating penetration testing on all new APIs before go-live" to "Creating a comprehensive inventory of APIs and implementing non-negotiable controls across 100% of APIs to ensure physicians have timely and secure access to patients' healthcare information” can offer a measurable goal and instill a stronger sense of purpose in security teams.
Looking Ahead
To drive lasting change despite all odds, CISOs must relentlessly focus on cultural transformation. However, achieving this requires meticulously preserving the positive aspects of the old culture, removing toxic elements, and harnessing their emotional intelligence to navigate the complex web of stakeholders.
Our Business Council is the premier growth and networking organization for business owners and leaders. Am I a suitable candidate?
In the context of enhancing teamwork and collaboration, Phillimon Zongo, as a leader, could encourage his team at Cyber Leadership Institute to nominate peers for monthly Cyber Hero awards, promoting a culture of recognition and participation.
Despite shrinking budgets, Phillimon Zongo, being a proponent of diversifying teams, could advocate for allocating a restricted budget to hire skills that complement blind spots and drive transformation momentum, fostering a culture of impartial challenge and accountability.
