The Heartbleed Bug: Does Malware Provide a New Backdoor to Measuring Leadership Effectiveness?

I’ve got a personal interest in this post. My son will start at university in August and will study cybersecurity (Stevens Institute of Technology, glad you asked). So that’s getting a lot of my attention right now. Heartbleed just added yet more.

Seems like you can’t read the news these days without reading about yet another cyber-attack. It’s either banks, retailers like Target, the government, the Chinese or even our own guys. You never really know who’s going to get you. About the only thing you can be sure of is that they are going to get you and it could be really big.

We all love taking about the Cloud and Big Data. But the more stuff in the cloud, the more it brings out the hackers. The bigger the Data, the more data there is to purloin or whatever. No-one’s immune since, essentially, every business has become an IT business. The only thing you can be absolutely sure of it that it’s a growth business, up there with Google and Facebook, but probably a lot bigger. At least that’s what I tell my son.

So what’s Heartbleed got to do with leadership, talent development and management and all those good things? Surely there’s no connection between the exalted ideals and practice of leadership on the down-and-dirty technical details in computers and systems?

Well to start with, how about the responsibility to protect your customers from harm? Or to increase stockholder value, which is diminished, possibly drastically, when hackers (or competitors, governments, etc.) steal your valuable customer data and then commit massive frauds on you? Or to protect yourself from competitors who want to steal your intellectual property? How about protecting your company against foreign countries, who shall be nameless but we all know who they are, who want to steal your secrets both for commercial and military reasons?

I recently met a gentleman at a university tour who turned out to be from a well-known defense and aerospace company. He was a senior IT guy. We got to discussing security and he told me it was a major problem for them. Apparently they keep on discovering computer programs and other types of code often written in Chinese in places they absolutely shouldn’t be. I wonder how that is impacting this company’s stock price? Or when we will see their copied products for sale from an un-named foreign country?

Of course, we are not just talking about Heartbleed. This is about all forms of malware, the types of which are multiplying geometrically. I don’t think it’s too much to say that the computer security issue has vaulted well ahead of the capacity of most organizations, private and public, to address it. And probably the good guys are losing right now, although since the vast majority of these incursions are sub-rosa, most of us, even the professionals don't realize that yet.

When organizations lose their data, its isn’t just the companies themselves that lose out. Private citizens lose their privacy. Or their life savings. Or their very identity. Computer security problems aren’t just a corporate issue, they are very personal to the people who are targeted. Right now the number of such people is skyrocketing

When Target (belatedly) admits it lost 70 million customer records, you know it isn’t the only company or government organization in that position. Foreign organizations, public and private, already have the wherewithal to tap into our national electric grid to do bad things to it. The list goes on.

The leaders of companies and public sector organizations make the excuse that it’s difficult to protect against cyber-issues. That’s true but it’s not a good excuse. That’s why they are getting paid the big bucks. If a leadership team can’t figure out how to address the issues it should give the job to someone else who can.

Technical vulnerabilities on this scale are not just or even mainly a technical issue. They are a managerial and ultimately a leadership issue. The problem for most companies and organizations is that they are still mentally working in environments modeled on the good old days when computer incursions weren’t such a serious matter. Clearly the generals, and the CEOs, are still fighting the last war.

When you see the next publicized security incursion, ask yourself this: what was leadership not doing that allowed this to occur? Doesn’t that leadership team need to lift its game? Drastically?

The first job of any government is to keep its citizens safe. The first job of any company is to keep its customers and stockholders safe too. If it can’t do that it’s not doing its job. The safety of customers, stockholders and stakeholders should be the paramount concern of organizations, public and private.

Until now, most accounts of security problems have been viewed as due to poor technical preparation and management. But the security of systems is a litmus test of management and leadership effectiveness, not just one of technical competence. That’s because it’s about the security of the business itself and its customers, its very lifeline for commercial survival, not just its products or boring data.

In evaluating leadership we have to move well beyond traditional notions of how well leaders meet the expectations of followers and stockholders to create a good working environment and successful financial performance. We have to add the safety of their employees, the protection of customers, including of their lives and livelihoods and, not least, the good reputation of the company itself.

If leaders run a nice company with good financial returns, but without doing that, they have failed just as surely as if they had taken the company into bankruptcy.