In a recent article, I talked about how the C-Suite can get past not being technical and take an offensive mindset to cyber security. I think the big message there was to get involved. Part of an organizations IT leadership and consultant’s responsibility is to provide logical explanations of the threats and vulnerabilities that exist and how they can impact confidentiality, integrity, and availability of an organization’s operations, and the C-Suite should want to hear about it. It’s also important to understand the level of effort it takes from your team to mitigate and remediate threats and vulnerabilities so that you can begin to evaluate if you need to make a decision such as realignment of staff or finding a 3rd party partnership.
While I’ve heard many “I’m just not technical” comments, I’ve also been in one hour scheduled meetings that ran into two hours because the CEO wanted to understand the results of a penetration test and asked questions that we spent time talking through along with the CIO and IT leadership. It was healthy, valuable conversation, and resulted in an actionable plan that quickly improved the cyber security posture of the organization.
As more and more organizations are starting to take this approach. I’d like to offer a few points to think about that I’ve seen stifle the process if not considered.
Pride of Ownership
This can be a touchy subject. The average IT department staff not only invests a lot of time and effort into the systems and platforms they manage, but they also take pride in their work. In some cases, so much that it’s not uncommon to hear a network administrator or engineer refer to their company’s infrastructure as, “my server” or “my firewall”. So, when suddenly these systems come under review internally or when a 3rd party is being brought in to test systems unannounced with very little discussion around the “why”, a certain level of fear and frustration can begin to naturally impede the success of the overall project.
Start with Why
When there is open communication around the “why” and the goals of such a project, it can go from fears of my job being in jeopardy to we’re getting some reinforcements to help mature our posture. This change in mindset can be a huge asset to your organization. Therefore, the C-Suite should focus on communicating the “why” in order to strengthen the value of their cyber security strategy.
An exception would be an organization that has established a mature cyber program to the point of the need for an unannounced approach to test the team’s response to malicious operations being carried out against the organization. Organizations that participate in these exercises regularly can grow accustomed to this type of testing and in most cases, welcome the improved cyber security posture and learning opportunities testing and partnerships provide.
This type of healthy environment is driven from the C-Suite as they have the ability to set the tone for how things such as pride of ownership are addressed with IT staff. Allowing your organization to see the bigger picture can help not only make for a more engaged team but also a stronger, more resilient cyber security posture for your organization.
For weekly insights into cybersecurity, please sign up here: