The impact of cyberattacks like ransomware aren’t felt only by the enterprise’s security team, and neither is the job of protecting against them. Eliminating vulnerabilities and ultimately the breaches resulting from them is a team effort, requiring collaboration between business teams, IT and security teams, and external partners where appropriate.
But like any team effort, you must know where you’re going before you can work towards reaching your goals. This is not always the case with cybersecurity; often IT and security teams’ objectives are challenged by the business’s desire to create an easy and seamless user experience. When something goes wrong, and a breach occurs, fingers get pointed and blame gets laid — reactively, of course.
Teams need to work together toward the common goals of protecting the organization and furthering its prevention posture, but how?
For information on Guiding the Collaborative Approach to Cybersecurity, check out our eBook on the topic.
Laying the foundation for collaboration
Every department shares responsibility for security but getting departmental buy-in can still prove challenging. If I’m the head of marketing, why should I care about security?
First: how could you not? At the end of the day, whether it’s the fault of IT, the security team, or an outside technology vendor, the effects of a cyberattack impact every department — including marketing — equally.
It’s irrelevant how quickly or prominently you can wag a finger if programs or campaigns are stalled, and milestones missed, because the company resources are locked up through a ransomware attack. In almost all things, but especially security, it’s better to pick up a bucket and start bailing than argue over who hit the rocks.
When departments are at odds over who is responsible for security, and their respective accountability, it can be treated like a distraction from business, rather than what it is: part of business.
Building a proactive and effective security program requires security to be engineered into processes from the get-go, or in the very least proactively as you move forward. With such a remarkably high risk of losing access to key business assets, or having sensitive data or intellectual property stolen, organizations must change their mindset around security. It can’t be an afterthought or simply a step in meeting regulatory compliance.
Create accountability and (the right) KPIs
Successful collaborative security efforts require a partnership model, where roles and accountability are clearly defined — both inside and outside the company.
This level of co-ownership of duties is hard for many companies to grasp, as it can be outside normal operations apart from a few company-wide initiatives (more on that in a minute).
When everyone doesn’t have clear accountability for the role that they play in continuously safeguarding the company from cyberattacks, gaps occur in the infrastructure that attackers can exploit. As the adage goes: a chain is only as strong as its weakest link.
To promote accountability from administration to sales — and every department in between — organizations must tie security goals into those of each department and do so with KPIs connected to the protection of the company’s digital assets. And all must be specific to the role played by that department.
Employees will then gain a clear sense of their role in the security process and can benefit from their efforts. Across all departments, employees should have security-oriented goals and metrics attached to them. Remember, when security is effective and proactive, it saves time, money and effort otherwise spent on restoring operations.
Learn from successful cross-departmental initiatives
Such a profound shift in company mindset and culture doesn’t come easy, or overnight, but security might not be the first pursuit warranting company-wide dedication.
Look for insights from other cross-departmental initiatives, such as corporate and social responsibility (CSR) and diversity, equity and inclusion (DE&I) that by their very nature pull together disparate teams.
What were the common obstacles these programs faced? Was there an underlying sense of tunnel vision, in which members strictly focused only on their job duties? Was communication hampered by tiresome meetings? Was there a lack of executive buy-in?
Importantly, look at what worked and use it to drive collaboration around the company’s security activities. What drives engagement? Was there help from outside the company, such as a consultancy or external HR firm? How are they celebrating and rewarding success?
Initiatives like CSR and DE&I quite often have one powerful thing going for them that aids significantly in promoting collaboration: a clear sense of meaning that helps rally teams to come together to a common cause. Today, enterprise security is such a common cause.
And it doesn’t have to be such lofty corporate goals to bring teams together with a singular purpose. If you’ve ever had a significant cash crunch or struggled with cash flow, you’ve seen how departments must come together to achieve a single goal, under the advice and guidance of a one team — finance. That’s what needs to happen now, under the supervision of security, to harden your business’s defenses.
Check out our recent eBook Guiding the Collaborative Approach to learn the four core concepts needed to help leaders give meaning to cybersecurity efforts: purpose, autonomy, mastery and, perhaps most importantly, community.