Cybersecurity is important. In talking to executives, it would be hard to imagine someone disputing that statement based on today’s climate. Experts estimate that the 2017 Equifax breach cost the company $439 million. It’s believed that Target lost $292 million as a result of its 2015 breach. CISOs and CEOs have their jobs threatened by failures to have adequate security.
While cybersecurity may be every executive’s job, there is frustration at every level of the corporation while trying to make progress. Ask any gathering of executives on the topic of security and there will be plenty of stories shared about having too much security or not enough.
Everyone agrees that security is important. The majority of the friction among the C-suite is about how to translate that sentiment into what a company should do about it.
Whether you are a CISO, CEO, another team member or someone interested in promoting security among your leadership team, there are a few key principles to keep in mind when attempting to effectively promote a cybersecurity culture at your company.
Make It About People
Security seems like it should be job No. 1. But in reality, it is not. Is quality job No. 1? Is growing the company? Realize that there are many objectives contending for attention. Appreciate that even though there are common goals, people have their own goals and interests that may not line up with yours.
Who are your decision-makers and influencers? What are the biggest concerns, priorities and goals that those people have? Look for ways to achieve the proverbial win-win scenario. Will adding a tool to help with security also help ops with uptime? Will spam filtering help not only thwart phishing attacks but also prevent people’s inboxes from being full of junk? Will a compliance initiative help sales get into bigger accounts? Will a new security initiative result in blogs that help marketing advertise trust as part of branding?
Are there gaps in knowledge? Perhaps focus on reducing those knowledge gaps to create a baseline of understanding.
Understand Where You Are
Without an understanding of where you are, even if you know where you want to be, you are missing a key component needed for figuring out how to get there.
Do you understand your risks? Do you understand what others in similar situations have done? Do you understand the best practices and the emerging threats?
With visibility and assessment, it becomes clearer what the needs are, where the low-hanging fruit is and what the unknowns are that need to be figured out.
Vision And Priorities
If you don’t have vision and priorities, you may just be reacting to the issue of the week but with no strategy about how to make things better. It’s easy to feel one is making progress by having easy wins that do not add up to moving the needle.
That being said, Rome wasn’t built in a day. Your vision and priorities help frame the baby steps that hopefully can translate to bigger leaps. But it’s important to bring people along with you and understand where people are. As your team moves together, that sets up lasting sustainable momentum. Driving ahead faster than others can keep up could result in discord, chaos or, even worse, backlash.
Celebrate Progress
When viewing your cybersecurity practices with sticks and carrots in mind, remember that sticks are easy, but carrots are hard. Focus on the carrots.
People are encouraged more about being a standout among their peers for moving progress forward. Embarrassment and criticism often result in people withdrawing, not engaging, avoidance and other dysfunctions that can starve an organization of the flow of communication and creative energies that make change possible.
Be assertive and blunt if necessary in the wake of mistakes or blunders, but know that once people lose sight that you are on their side, then you’ve lost your influence.
The More The Merrier
You may have ideas, and your ideas may be excellent, but if you are always the one talking, then you are not the person listening. Most likely, no one else is either.
Include others in the process of discussing your cybersecurity practices. Put problems and challenges before people, illustrate what others have done and let the team contribute to the decisions of what would be most appropriate for the company’s needs.
This will accomplish multiple objectives. It allows people to feel a sense of ownership with the process and will yield better ideas that are suited for your company’s specific needs.
Inviting opinions from outside your security team also helps break up any stale dynamic that exists. An idea presented from a different perspective can yield a fresh look at something that may have been dismissed earlier.
Review And Measure
Sometimes in the course of events, it may look like little is being done. However, by taking a retrospective approach to analyzing progress (e.g., reviewing the last quarter, or 6 months, or year), it allows your team to clearly see how far they’ve come. It also lets them see the reasons for why something might have stalled. Was it a bad idea? Did you take on too much? Did you lack planning? Should you do something different? How can you do better?
The key is to have some types of measurement. If things are qualitative, they can be subject to debate, which can help refine your security practices.
Security Is Hard
Like any change, improving security is hard. Understanding what needs to be done, formulating solutions in the context of your organization’s needs, and aligning with leadership’s goals enables an effective coalition that builds toward progress. Change may not happen immediately, but as fast as leaders can address concerns, they will be able to cultivate a culture that will take on a life of its own to continuously move the organization in a way that turns desires of strong cybersecurity into a natural and effective way of getting things done.
Source: forbes.com
Author: Boris Chen