Cybersecurity is first and foremost a business challenge. Many companies began recognizing this as digital transformation initiatives accelerated last year due to the pandemic, expanding the attack surface and associated cyber risks. For businesses uncertain about how to create a security-first mindset across the organization, here are five key considerations.
Align security with business objectives and outcomes.
As C-suite stakeholders develop, change, and implement their overall business objectives, it’s important for CISOs and security leaders to engage in that conversation from the start. Having immediate line-of-sight into the business objectives helps security leaders develop a customized, scalable, and highly secure system to help reach desired business outcomes.
Over time, we will see more CFOs blending their roles to become more integrated with CISOs, helping the company connect security investments and risks to the bottom line. Start the conversation by identifying the business benefits of security. For example, better security means the company doesn’t have to shut down operations because of a breach, which leads to less downtime and greater productivity.
Together, the entire C-suite should determine which cybersecurity measures best serve the company’s existing and future business outcomes, along with financial interests.
Forget short-term ROI metrics.
Business leaders looking to tie security to business outcomes need to think less about short-term ROI and start thinking about security as a long-term investment. It’s tough to justify results if security gets bundled into a short-term ROI metric. That’s why for years security was sold as an insurance policy – it was something business executives could understand. Of course, when that happened security programs went nowhere because too often business executives didn’t understand the risks – or they were willing to take their chances.
Today, they have no choice. The threats – and the negative impact to the business in the form of downtime, lost revenue, and damaged IT equipment – are well documented. As we look at what sets a strong security posture vs. a less mature one, it starts with executives reaching agreement and understanding the long-term benefits of a robust security program. The odds of success increase immeasurably if a company can nurture the long-term support of a security-first mindset.
While many companies are applying financial constraints because of COVID, cutting security investments to achieve a short-term ROI can lead to a disastrous short-term outcome with potentially no long-term options.
Set the tone at the top.
CEOs need to take a leadership role with security. Security programs work best when CEOs position security as a critical element that makes the company stronger, safer, and more strategic. Strong security makes it possible for business leaders to focus on what’s most important – innovation, market growth, and profitability.
Too often CISOs and security leaders develop security programs for the business that are shared once a year with employees. Unfortunately, they are not revisited or communicated often enough for them to resonate and have the desired business impact.
Outdated misconceptions and practices still linger, as security teams are left as the the sole communicators and the only team responsible for company security practices. There’s a communication and education gap that needs filling as companies adopt the security-first mindset.
How do companies fill that gap? Make security a routine topic of business discussion in staff meetings, employee training, end-of-year evaluations, business strategy sessions, budget planning meetings, and mergers and acquisition evaluations. Security belongs to everyone.
The security-first mindset brings security front and center to the business – in turn establishing the need for more discussion on the agenda.
Continuously assess risk.
For any business to adapt and change, it’s critical to continuously assess risk. Understanding how companies will handle business disruptions in the event of something unforeseen means that an organization must understand the risks.
As organizations go through digital transformation, they must determine their appetite for risk and the rate of change they can absorb. Part of the planning process needs to include ongoing risk assessment at the strategic, tactical, and operational levels. Companies should determine the risks to any plan and in the event of a disruption, have a nimble enough strategy to avoid any identified risks.
Any strong cybersecurity practice works in tandem with line-of-business managers to continuously identify risk and its impact on the business.
Create a shared responsibility model for employees.
It’s more important than ever for businesses to educate employees in their shared responsibility for security. After all, the human element represents most of the risk in any organization.
As part of this education, employees need to understand that security enables the business and the work that they do. For example, better authentication methods make it easier for employees to access applications and do their jobs. If employees are connected to their work, they will connect to the need for better security.
Without diving into the technical components of security, executives can share and model the security-first mindset in a more personalized way that connects with their employees. For example, when sharing the impact of compromised credentials and ransomware, execs can communicate that these cyber threats don’t just happen in the workplace, but take place on personal devices as well.
Security belongs to every employee in the company, from the C-suite down to interns – every employee owns a piece of the exposed attack surface. However, security programs work best when everyone understands that security makes the business stronger and their jobs easier.
Watch this video to learn how AT&T Cybersecurity can help make it safer for your business to innovate.