In Changing the monolith—Part 1: Building alliances for a secure culture, I explored how security leaders can build alliances and why a commitment to change must be signaled from the top. But whose support should you recruit in the first place? In Part 2, I address considerations for the cybersecurity team itself, the organization’s business leaders, and the employees whose buy-in is critical.
Build the right cybersecurity team
It could be debated that the concept of a “deep generalist” is an oxymoron. The analogy I frequently find myself making is you would never ask a dermatologist to perform a hip replacement. A hip replacement is best left to an orthopedic surgeon who has many hours of hands-on experience performing hip replacements. This does not lessen the importance of the dermatologist, who can quickly identify and treat potentially lethal diseases such as skin cancer.
Similarly, not every cybersecurity and privacy professional is deep in all subjects such as governance, technology, law, organizational dynamics, and emotional intelligence. No person is born a specialist.
If you are looking for someone who is excellent at threat prevention, detection, and incident response, hire someone who specializes in those specific tasks and has demonstrated experience and competency. Likewise, be cautious of promoting cybersecurity architects to the role of Chief Information Security Officer (CISO) if they have not demonstrated strategic leadership with the social aptitude to connect with other senior leaders in the organization. CISOs, after all, are not technology champions as much as they are business leaders.
Keep business leaders in the conversation
Leaders can enhance their organizations’ security stance by sending a top-down message across all business units that “security begins with me.” One way to send this message is to regularly brief the executive team and the board on cybersecurity and privacy risks.
Keep business leaders accountable about security.
These should not be product status reports, but briefings on key performance indicators (KPI) of risk. Business leaders must inform what the organization considers to be its top risks.
Here are three ways to guide these conversations:
- Evaluate the existing cyber-incident response plan within the context of the overall organization’s business continuity plan. Elevate cyber-incident response plans to account for major outages, severe weather, civil unrest, and epidemics—which all place similar, if not identical, stresses to the business. Ask leadership what they believe the “crown jewels” to be, so you can prioritize your approach to data protection. The team responsible for identifying the “crown jewels” should include senior management from the lines of businesses and administrative functions.
- Review the cybersecurity budget with a business case and a strategy in mind. Many times, security budgets take a backseat to other IT or business priorities, resulting in companies being unprepared to deal with risks and attacks. An annual review of cybersecurity budgets tied to what looks like a “good fit” for the organization is recommended.
- Reevaluate cyber insurance on an annual basis and revisit its use and requirements for the organization. Ensure that it’s effective against attacks that could be considered “acts of war,” which might otherwise not be covered by the organization’s policy. Review your policy and ask: What happens if the threat actor was a nation state aiming for another nation state, placing your organization in the crossfire?
Gain buy-in through a frictionless user experience
“Shadow IT” is a persistent problem when there is no sanctioned way for users to collaborate with the outside world. Similarly, users save and hoard emails when, in response to an overly zealous data retention policy, their emails are deleted after 30 days.
Digital transformation introduces a sea of change in how cybersecurity is implemented. It’s paramount to provide the user with the most frictionless user experience available, adopting mobile-first, cloud-first philosophies.
Ignoring the user experience in your change implementation plan will only lead users to identify clever ways to circumvent frustrating security controls. Look for ways to prioritize the user experience even while meeting security and compliance goals.
Incremental change versus tearing off the band-aid
Imagine slowly replacing the interior and exterior components of your existing vehicle one by one until you have a “new” car. It doesn’t make sense: You still have to drive the car, even while the replacements are being performed!
Similarly, I’ve seen organizations take this approach in implementing change, attempting to create a modern workplace over a long period of time. However, this draws out complex, multi-platform headaches for months and years, leading to user confusion, loss of confidence in IT, and lost productivity. You wouldn’t “purchase” a new car this way; why take this approach for your organization?
Rather than mixing old parts with new parts, you would save money, shop time, and operational (and emotional) complexity by simply trading in your old car for a new one.
Fewer organizations take this alternative approach of “tearing off the band-aid.” If the user experience is frictionless, more efficient, and enhances the ease of data protection, an organization’s highly motivated employee base will adapt much more easily.
Stayed tuned and stay updated
Stay tuned for more! In my next installments, I will cover the topics of process and technology, respectively, and their role in changing the security monolith. Technology on its own solves nothing. What good are building supplies and tools without a blueprint? Similarly, process is the orchestration of the effort, and is necessary to enhance an organization’s cybersecurity, privacy, compliance, and productivity.
In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.