Key Considerations on Your Cyber Security Journey
By Ian Harragan, Director at i-confidential
In a previous article, I talked about the importance of taking the C-suite and board along with you on any cyber security improvement journey. Here, I will look more closely at what’s involved.
Sometimes, senior leadership groups are presented with information about a spot security issue and the potential actions to address it. This could be on the back of an event, such as hearing about another organisation being hit with a ransomware attack. If security is managed this way on an ongoing basis, the organisation’s improvement activity becomes very reactive and disjointed. It will, however, make clear the need for a fully considered strategic security roadmap.
A good place to start if you don’t have a roadmap in place is an assessment of your current security position. Ensure it covers your whole business so you have a solid foundation to work from. The other key component is to understand how good you want to be.
Forming a clearly articulated view of this can be tough. The term ‘risk appetite’ is regularly used. It is sometimes stated simply as, ‘we don’t want any incidents here’ or, ‘we don’t want any breaches’. Whilst this is fine, it misses the point that to achieve a desired state significant investment is often required, and possibly beyond your means financially.
From a delivery perspective, the benefit of a clear security roadmap is that the senior leadership will be aligned to the intended direction of travel and the commitments required along the way. Of course, it is feasible that changes or re-prioritisation may be needed in light of future events. Having the roadmap in place though provides the substance for effective planning. This will inform budgets, resources, and doability when considered in the context of other business goals.
The benefit for the senior leadership group, and indeed the C-suite, is that security will be viewed in line with other disciplines on a business case basis. Additionally, this approach will require you to explain and justify the roadmap’s constituent parts, and bring them all together again as a cohesive plan. By creating this more holistic view, there is an opportunity to better educate senior leaders about security and the interlinked importance of various activities.
Once the leadership is on board with the cyber security journey, communicating it to the wider organisation becomes an important task. There is a real danger that the messaging can go wrong. For example, using negative and fear-based language can be off-putting and threatening. Technical jargon delivered to non-technical audiences inhibits understanding and can lead to some people feeling the messages don’t apply to them. The best approach is to be positive and action oriented. Explain in clear terms why a policy or process is important and enable people to fully engage with it.
Going on this journey isn’t without its challenges, but the rewards are there if you are thorough, determined, and focused on your security goals. If you haven’t done so recently, it is worth considering the stage you are at and what needs to happen next.