All risk management starts with business leadership, and that includes managing cybersecurity risk. It doesn’t matter if CEOs have the technical know-how, but it matters greatly that you frame what is worth protecting before leaving how to protect it to IT experts. You can’t just hand it off to the tech team, and you don’t just click your heels to have an effective program in place.
That’s because many cybersecurity pros probably understand business objectives and outcomes about as well as the typical CEO or board member grasps cyber wizardry: the baseline is a loose understanding, at best. What leaders first must do is state the value of what to protect to IT pros, and only then task them with how to best do that. The IT team may be masters of processes, but you best know priorities.
And business leaders need to do that risk framing for the rest of the organization in a most literal way: by formally documenting what is most important to leadership, what is second most important, and so on. Articulate that so if you have a dollar to spend on something, they know what to spend it on because it’s clear to IT what the objective is.
What Is Your Treasure? You Need to Know
For every business what is of most value is different. For example:
- For financial institutions, it can be customer access, the integrity of data, and making sure your grandparents’ life savings aren’t wiped out by a digital bad actor moving around decimal points in their bank account;
- A healthcare entity may be most concerned about protecting operating technologies and medical records and such, to ensure patients and providers are safe literally and digitally;
- Defense contractors are always on the lookout for foreign adversaries stealing intellectual property that protects us all from bad actors looking to do harm.
Likewise, if you state value, when your organization is conducting analyses of alternatives and your team is making recommendations back to you, you can ask the right questions and ultimately make informed decisions that get demonstrable results. Again, it’s not about whether you know tech; it’s about knowing value and what you’re trying to protect.
Related Reading: Cybersecurity Risks are Business Risks
Delegate the Task, Not the Intent
Without that command of what is worth securing, leaders leave themselves totally at the mercy of a cybersecurity workforce that can be totally transactional, fail to fully implement technologies, and fall well short of effectively integrating the newest and coolest tech to what is already in place.
That’s because too much of the cybersecurity industry is myopically focused on just a single domain: only identity protection, of just perimeter security, for example. As a result, often scores of tech companies are involved in a single organization’s cybersecurity program. That leaves you with an island of misfit security technologies, most of which are not properly configured, parsed, and tuned to generate the alerts.
Explore Our Cyber Risk Advisory Services
Compliance Isn’t Enough
Simply ensuring you meet compliance standards is also insufficient in actually protecting your treasure. Most regulations are trailing adversary actions by years. By the time a compliance standard has been proposed, debated, and actually required, often it is two years out of date from a risk perspective.
And a purely bureaucratic mindset can get you to be more concerned about whether or not something is stamped as classified information, rather than whether the information at risk of exposure gives an advantage to adversaries. Yes, compliance is important. But don’t accept it as an end state. Once you have compliance, you must keep evaluating your program based on threat scenarios, and not your compliance checklist.
Too often, an organization’s primary focus is passing compliance audits, instead of thinking about whether or not your security program actually works against the things you should be concerned about.
Look For Problem-Solvers, Not Just Tech Wizards
Additionally, when hiring someone to lead cybersecurity programs, it’s critical that CEOs understand the thought processes of their candidates and ensure that their tech leaders have a strong foundational understanding of risk, and not just IT. Otherwise, you risk having a tech team that comes to you and says, “Hey, you need to buy all this stuff and spend a lot of money,” leaving you at risk of having little impact to show for it.
The goal for leadership is to bring together like-minded problem-solvers and then give them the resources to succeed, and the first resource is understanding what is of value and in need of protection. Getting beyond compliance and thinking about effectiveness may mean you’ll never have a critical security breach in the first place, and that may be a competitive advantage to your organization.