As part of our “C-Suite Accountability” theme, we explore why holding senior executives accountable is a necessary motivator in the prioritization, development, and adoption of cybersecurity initiatives across the small to medium-sized organization. In this post, we cover the importance of establishing visibility into the problem and your progress in addressing it, through regular discussion; and what does, and does not belong in the conversation.
If your small to medium-sized enterprise is anything like ours, your c-suite meets regularly to discuss challenges across the organization and to gain visibility into what is happening in various business units as they progress towards their goals. One of the (often neglected) cybersecurity priorities for the SME is c-suite accountability – which is going to happen 'one way or the other,' as we start to see increased resignations over data breaches, mismanagement of compliance undertakings, and consequences resulting from such issues. There can be no accountability without visibility! In this article, we present why the c-suite should spend its valuable time receiving updates on cybersecurity matters as often as (or more often than) every other departmental update. Visibility into the problem (KPIs), the steps your organization is taking to rectify it, and the implications for compliance, business continuity, disaster recovery, and risk management should all be part of this discussion – 'technobabble,' speeds and feeds, and particular features of specific technologies should not.
Why should you talk about this?
You need access to information about your cybersecurity posture so that you can implement policies to improve it and make good decisions surrounding how to do so. You’ll need visibility into the initiatives you’re undertaking (like subscribing to ActZero’s MDR service 😉) and the progress being made, and the challenges to overcome. Your mitigation of the risk of cyberattack is just as important as the other departmental initiatives you discuss – yet it doesn’t get the same time on the agenda.
It’s not just ActZero and our ‘vested interest’ that cares about the outcome of your discussion. An increasing number of stakeholders (your partners, your board, your customers, your employees, and your auditors) have questions, and you need to be able to speak intelligently about what you’re doing about cybersecurity.
What should you talk about specifically?
There are a few distinct topics of discussion that are relevant to the protection of your organization. Which of these you begin with will start with understanding your present state of security, and the gaps in your own people, processes, and technology. Our CTO Adam Mansour covers specific questions you can ask of the individuals responsible for security within your organization here. Of course, you should not allow a knowledge gap (regarding specific cybersecurity technologies and threats) to prevent this conversation from happening. Treat it like any other risk mitigation conversation – understanding what the single points of failure are, the ways to mitigate the risks to your organization, the cost if (when) you do fall victim to attack, and how you will respond (and recover) in such an event.
This will be different the first time you talk about it – setting a basic level of understanding of what you will be talking about is a good place to start. For example:
- There are risks: to our operation, business continuity, sensitive data, and intellectual property.
- These risks can be mitigated: by remediating vulnerabilities, using prevention technology, and actively looking for threats
- We will be evaluating success: by reviewing KPIs (which your organization may not yet have), evaluating progress on your security roadmap
Who drives this conversation if you don’t have a CISO?
It can be your CFO, COO, or your CIO – but make sure that somebody with a solid understanding of risk management is participating in the update. The IT perspective is valuable (and necessary if they are the ones implementing your cybersecurity program, or augmenting your existing technology), but the information must be presented in a way that other senior leaders can understand. How many alerts your SIEM is spitting out, or the reasons your IPS doesn’t connect with your Firewall, or any other such 'Technobabble' does not belong at that table.
Another thing to consider is that the absence of a CISO at the table may not be sustainable for much longer, especially if you are operating in a geography where new privacy and cybersecurity laws have been enacted. For example, New York’s 23 NYCRR500 requires that companies regulated by the Department of Financial Services designate a CISO (whether or not that’s their actual title). Similarly, GDPR requires you to have a Data Protection Officer appointed, and while there aren’t yet stipulations about this person’s credentials, they must possess expert knowledge of data protection law and practices. Sounds like a job for one of our Virtual CISOs!
Unfortunately, many SME’s do not have in-house expertise to gauge their current security stature, let alone prescribe the steps needed to elevate it over time. C-suite executives might consider reaching out to their trusted business partners and vendors to speak about current trends and receive assistance with gauging what the priorities ought to be for their organization.
We hope that this post provides you with what you need to make a case to include cybersecurity as part of leadership discussions, and offers you a place to start and people to involve. If you find that you need more fodder for discussion or KPIs to review, consider subscribing to ActZero’s Managed Detection and Response service – beyond actively protecting your network, we provide you with a report each month to show the attacks we detected and responded to, the changes to your security hygiene so you can see improvement, and much more.