As leaders, our calendars are loaded with priorities, but we must find the time to prioritize cybersecurity — convincing our boards of directors and executives that robust, comprehensive cybserecurity is a business enabler — or face serious, business-threatening consequences.
The question is, with limited time, how can you advance this agenda? Here are some ideas.
Track the Work
Zero in on the cybersecurity work being done, and make sure it is the right work. Projects fall behind, software ages, and people go on autopilot. (Not solely a cybersecurity thing, but I do see it happen often in our field.) This can mean money flying out the window.
Make revisiting ongoing work a priority. It is inevitable that some projects will start to lag. They may have lost momentum or been pushed aside due to other activities. Sometimes your team needs to know that you’re still interested to reinvigorate them to hit the gas pedal and push through.
Other times, it may be time to let the sun set on a project that just isn’t moving. The decision to stop work on an in-progress project can be difficult and shouldn’t be made haphazardly. It can affect staff morale, as well as set other dependencies behind schedule. But after some thought, you may discover that a project that looked like the right direction to go six months ago is just not working out, and you need to end it. You can save large swaths of time and money by making the necessary, but tough decision to move on from something you and your team once believed in.
Incident Response Plans
There’s so much planning involved in breach response, we wrote an entire series on it. That said, there are a few simple things that you can prioritize to make sure your security teams are in the right place in the event of an incident.
One is to take a few minutes to have your security team review your organization’s incident response plan with you. This will give them a little encouragement to look at what they have and make sure everything is up to date. Plus, it will provide the opportunity for you to talk through it with them to make sure their planning considers important business outcomes viewed through the proper security lens. The team will value your interest in their work and you will also help to button up your plans for what is sure to be a very stressful day in your career.
Training Teams Outside of Security
Your information technology (IT) security team should be in a constant state of learning. That is typically some mix of reading (like Acceleration Economy), hands-on training, and lectures. But what about the leadership team? Will your business owners know who to contact in the CFO’s office? Is there anyone in the marketing department with crisis communications experience?
You can answer these and many more questions with a tabletop exercise. This type of training needn’t take all day: You can typically go through a scenario in about 30-60 minutes. Gathering your technical, communications, policy, and financial teams not only allows them to work the kinks out of the process, it also allows them to get to know each other. And the cherry on top is that spending this time will certainly communicate to the rest of your organization that cybersecurity is front of mind while also showing where you may have room for improvement.
Establishing a higher-level focus on cybersecurity, and enlisting partners across business functions to support this focus, will bolster the position of cybersecurity as a business enabler. We are not trying to make everyone in your organization a cybersecurity practitioner (just as when we talk about budget, we are not trying to make everyone an accountant). However, we do need to make sure that our people understand that cybersecurity is a priority that adds tangible value to our business. What other ways do you think business leaders can communicate that cybersecurity is a priority? Join the conversation on Linkedin.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: