Today, the Information security risk is a top risk in most organizations; no industry seems exempt. If there’s a business process, product, or capability that drives revenue, one that the public relies on, and the mismanagement of which can impact an organization’s reputation – it is a target. It is at risk. Long gone are the days where we, as information security experts, have to persuade our business partners into believing cybersecurity risk is real. While most organizations understand the ever-evolving cybersecurity risk that exists today, basic cybersecurity hygiene needed for an information security program still seems a struggle for many organizations.
Why is that? Maybe it’s due to competing priorities or the thought that it will never happen to our organization. For those of us with a passion for this profession, it seems to be a never-ending battle with the malicious cyber actor and we need all-hands-on-deck for this fight. The reality is it’s not if but when your organization will experience a cybersecurity breach but steps can be taken to build a better information security program to minimize the impact.
Three components make up a sound information security program: effective technology, well-defined processes, and talented people. While technology clearly takes a significant role in assuring company assets are properly protected, the process and people play at least an equal, if not greater, role regardless of the information security domain.
The importance of ensuring processes are documented cannot be overstated. Good processes are documented processes. Otherwise, they’re just ideas – things in people’s heads, not written down, that aren’t usually appreciated in a crisis. Documentation is not typically a technologist’s strong suit. It’s a lot more fun to configure a firewall or build a server than it is to document how to support one. Some subject matter experts believe documentation makes them less valuable, believing that writing down their approach takes the magic out of their capabilities – taking the art out of the 'art and science’ of how they work. Address talent with this mindset and provide assurance that documenting their tribal knowledge will strengthen the program and allow more time to develop new skills. Documentation allows for consistency in how processes are executed and provides organizational resiliency. It is a must for continuity. The pandemic shined a light directly on the risk of poor (or no) documentation when staff availability risk was realized. Many companies experienced service slowdowns or missed service level agreements due to resources being unavailable due to contracting COVID-19, being unable to work, and being a single point of failure without processes they supported being documented. If talent is not strong in written communication, then hire a technical writer to help and consider focusing on that skillset with the next hire.
What good is a fully documented process if talent is unavailable to support, maintain and mature it? Engaged information security experts to maintain and grow the program are critical. How do we keep our talent engaged? Empower them to build and innovate and lead. Let them make mistakes and help them fail forward. Assume positive intent. Show appreciation when a job is well done and most importantly listen to their thoughts and ideas. Research has shown people don’t leave companies; they leave bosses. Ensuring management is skilled, emotionally intelligent leaders is worth its weight in gold.
The increased acceptance of work from home has only made the cybersecurity talent pool even more competitive. Hire management who want to lead and develop people. Too often we promote technical experts into people management in order to reward their work and provide career progression. This can be a devasting mistake if they don’t have the necessary people skills and passion to develop others.
There is one more people component that may be the most significant to a strong program, your employees.
The need to capture the attention of employees, organization-wide about how to protect company assets may be the single most important goal of a successful information security program. So how does one go about achieving such a challenging act? Information security leaders need to take the time to build strong relationships with the business they support so that trust is built over time. The many impactful breaches have helped demonstrate the business value of information security but in many organizations. However, there is still an inherent lack of trust and/or fear of hearing “no” which often results in being left out of discussions. Information security needs a seat at the table, early on, before key decisions that could impact the security posture are made. In addition, education and awareness programs should be driving towards making information security personal. Effective programs highlight the personal benefits of good information security (no stolen identity, no hacked computers, safer experience for our aging parents and young children alike) and give a positive lens through which the business can view their information security leaders.
No organization wants to be the next victim of a cybersecurity breach but building a program that focuses on technology, process, and people will give you the layered approach needed to better mitigate the risk. Be diligent about choosing technology, it’s a big, complex market, build peer networks to garner trusted insight. Be fervid about documenting processes, this work is not fun but pays tremendous continuity dividends. Be intentional in hiring; hone in on soft skills as technical skills are table stakes.