Leadership in Organisational Cyber Security
Date
2022
Authors
Psaroulis, Georgia
Editors
Advisors
Jerram, Cate
Journal Title
Journal ISSN
Volume Title
Type:
Thesis
Citation
Statement of Responsibility
Conference Name
Abstract
Globally, most organisations are powerless to protect their information assets against the constant threat of hostile intruders, and leaders are uncomfortable with the potential threat and disruption to the deep-seated norms, patterns, and systems in their organisational setting. Yet little research exists on Leadership in Cyber security and existing cyber research is splintered across literature specific to individual disciplines that are only component domains of the broader cyber security multidiscipline. This study identifies and addresses “the role of strategic leadership in the complex issue of organisational cyber security”. This thesis argues that cyber security is a complex multidisciplinary leadership issue that must be – but usually is not – addressed systemically. This premise was formulated during employment in the cyber domain and my and colleagues’ experiences provided empirical drivers to investigate this phenomenon. Experience and anecdotal evidence indicated absence of corporate governance in organisational cyber security and ill-defined cyber-OAR (Ownership, Accountability and Responsibility). Chief Information Security Officers (CISOs) lack requisite status, and despite multiple stakeholders and government publications, most executives remain cyber-unaware and have no relationship with the CISO – if they have a CISO at all. Yet these vital issues remain unaddressed in academic publications. ii In late 2017, almost no literature existed on the topic and the focus issues were largely unrecognised and ignored. In ensuing years, some recognition and changes have emerged. Promising regulations have been introduced, previously unrecognised aspects researched and published, and visionary cyber leadership has emerged – which might suppose the research topic to be obsolete and unnecessary. But in 2022, the situation is unresolved and despite visionaries, and increased government spending and awareness-building efforts, organisational cyber security is still not understood or practised by most executives. As an academic discipline and organisational practice, cyber security is still in its infancy. An emerging stream of research reveals multiple issues, including fragmentation across multiple academic and practitioner disciplines. Focus has typically remained on technical issues and challenges as computer science and information technology disciplines contribute the majority of published cyber security research, and only scattered articles address non-technology aspects of cyber security. Despite burgeoning interest in the ‘human aspects of cyber security’, when first scoped – with one exception – no research addressed cyber corporate leadership and/or cyber governance ecosystems. This accumulation of worrisome issues is increasingly critical for organisational survival and wellbeing and is substantive evidence of the need for research to address organisational cyber security and leadership. Planned as a thesis-by-publication, this research was purposefully designed as a three-phase study spanning five–six years. An exploratory study, the approach had to be qualitative and emergent. As an infant multidisciplinary domain, the first phase needed to be a scoping review to explore and compare literature across the principal sub-domains. Research commenced with exploring cyber security as a strategic, corporate governance issue that is complex, multidisciplinary, and currently fragmented. Analysis of the scoping review findings confirmed the original premise sufficiently to require a targeted literature review and permitted early conceptual models to be developed, graphically depicting the issues and their interrelationships, and to shape potential solutions and an aspirational future state of organisational cyber security and leadership. The Phase 2 targeted review led to the design of an empirical investigation. Guided by review findings, participants were selected, and questions designed. Interviews were conducted with 31 participants from 24 organisations from the Finance sector, following guidelines approved in HREC (H-2019-127). Analysis was primarily conducted using a series of coding passes; constant comparison, pattern and theme, and reduction of the multiple produced theme-codes to a few tightly focussed supra-codes. Graphic analysis was used throughout, creating a series of models to illustrate and synthesise findings, and develop conceptual frameworks. This coding method of analysis was also used for the literature reviews. Stakeholder theory was the primary filter for all analysis, selected due to the original premise that organisational cyber security is multidisciplinary but siloed and fragmented in academia and praxis. In Phase 3, the principal focus was deeper exploration through theoretical lenses and to develop new theory. Stakeholder theory remained the foundation, but all findings were revisited using a theoretical filter of Triple-loop learning. Papers for each of the three phases have been submitted to a leading journal. The body of this thesis is comprised of these papers in entirety, preceded and followed by a whole-of-work introduction and conclusion. The three papers are co-authored but all the initial foundations, including premises, questions, research objectives, interviews, analysis, and models are my original work. Therefore, from Chapter 4 onwards, I refer to the researcher/ author in the plural, acknowledging the contribution of my supervisor/co-author, Dr Cate Jerram. Findings, conclusions, and recommendations are documented in the three abstracts, but briefly recapitulated here. Phase 1 concluded that traditional silos must be bridged or discarded, and a new common lexicon developed. Cyber security lexicons and approaches must align with corporate strategy. Organisational executives must acknowledge and take ownership, accountability, and responsibility for their organisation's cyber security, and immediately address the role, status, and budget of the CISO. Phase 2, building from Phase 1, revealed that key mechanisms of corporate governance must promote a shared stewardship approach. The CEO and the CISO must work together and resolve cyber-OAR issues, and the corporate governance system and mechanisms need to simultaneously change and align with the CEO-CISO-OAR relationship. Any aspirational future state cyber security must be embedded in a cyber corporate governance ecosystem. Phase 3 concluded our study with theoretical development and found Triple-loop learning approaches can reinvent and transform organisational cyber security. Clear and coherent cyber security must be directed by strategic leadership and the business and cyber ecosystems must be integrated and intrinsically link. As evidenced by the dearth of quality literature discussing the issues addressed here, few resources are available in this domain and all work in this thesis is original, except where referenced. This study makes three major contributions to theory and practice. Firstly, organisational safety and wellbeing requires corporate cyber governance that is led by the Executive. Secondly, it is imperative that the CISO be a strategic trusted advisor in cyber corporate governance, security, and resilience. Thirdly, any progress in advancing organisational cyber security is dependent on eliminating disciplinary fragmentation based in academic and professional silos, instead building cooperation and co-opetition, collaboration, and eventually a coherent, systemic multidiscipline. Finally, models are provided to illustrate these three major contributions and subsidiary contributions, culminating in the proffered concept of an aspirational future state of what we refer to as – ‘cyber corporate governance ecosystem’. This research has produced contributions of value to research and praxis, and frequently to both. The contributions have significant implications that should affect current practice in organisational cyber security and leadership and pave the way for important new fields of research. Significant secondary contributions to practice include the recommendation that silos be discarded to enable a strong and holistic multidiscipline of cyber security. The first implication is that disciplines, professional bodies, and cyber educators (and all extended enterprise) need to strengthen collaboration and establish synergies. Government and quasi-governmental regulators play a vital lead role in cyber security but need to improve dissemination for wider uptake. Organisations, however, need both to become more aware and adoptive of regulations and government provisions, but must improve their ability to adapt any such adoptions to ensure appropriate cultural alignment. Principally, however, Executives must lead and coordinate, determine priorities, and break down barriers to meet organisational need, starting with recognition of the strategic value of cyber security and trusting the CISO as a vital strategic advisor. This research was conducted part-time over six–years in a rapidly changing digital environment that preceded and included the COVID-19 pandemic and its aftermath (and ongoing ‘new normal’), which has inevitably affected the results. This is, though timely, a date-specific limitation. The span of time also saw changes eventuating in the cyber security domain that is the focus of the study. Nevertheless, though the constantly changing cyber landscape has been an impediment to conducting the research, effects on results, conclusions and recommendations have been minimised as much as possible. Primary research limitations are those inherent to qualitative approaches. Empirical investigation through semi-structured interviews provided depth but prohibited large numbers for generalisability. Transferability to other sectors is a possibility, but the original field of enquiry was restricted to the Finance sector. Although an investigation into leadership in organisational cyber security, few participants were themselves CEOs or organisational Board members. Further research is needed across different industry-sectors, qualitative research directly engaging with Executive and Board members is needed, and sufficient explorative studies are required to eventually enable broader, generalisable studies.
School/Discipline
Business School
Dissertation Note
Thesis (Ph.D.) -- University of Adelaide, Business School, 2022
Provenance
This electronic version is made publicly available by the University of Adelaide in accordance with its open access policy for student theses. Copyright in this thesis remains with the author. This thesis may incorporate third party material which has been used by the author pursuant to Fair Dealing exceptions. If you are the owner of any included third party copyright material you wish to be removed from this electronic version, please complete the take down form located at: http://www.adelaide.edu.au/legals