Remember Curly from City Slickers? He’s the character played by Jack Palance who said the meaning of life is “One Thing”. And when it comes to an effective cybersecurity program, that One Thing is You.
Often, when we think about cybersecurity and business the assumption is that it should fall under the domain of IT. With the ever-increasing and complicated role technology and data play in business, it might seem to make sense to just leave it to those within the organization who were hired to handle technological systems. The problem, however, is that in many cases data breaches occur and magnitude of the breach is greatly increased because of a disconnect between IT and business leadership. The massive Equifax breach, for example, occurred in large part because of a governance structure that stifled communication between security and IT.
Here are a few steps any business should take to create a governance structure that properly emphasize cyber security.
Identify and Communicate Security Expectations
All members of the senior-level leadership team should work to identify the organization’s expectations for securing company information and assets in a way that aligns with overall business goals and objectives. Leadership teams should also create a well-defined framework for compliance with these security exceptions across all aspects of the business. Ensuring everyone within the company — from the board-level down — is working to protect the organization’s data is key, and must be well-communicated throughout all levels of the company.
Inspect what you Expect
Develop and review on an ongoing basis key metrics around cybersecurity, such as engagement with cyber-awareness programs, results of phish simulation campaigns, key alerts reviewed by your security team, plans of action and milestones resulting from previous vulnerability scans or audits. Make this part of your quarterly executive meeting agenda.
Adapt and Respond
Make sure you have someone reviewing the threat and regulatory landscape to determine what changes need to be made in your systems, controls or operating procedures to ensure you are maximize your cybersecurity efforts.
Demonstrate and Communicate
It bears repeating. Governance requires Leadership and Leadership requires Communication as well as Walking the Walk. Bring up cybersecurity in your Town Hall meetings, position it in the context of how it helps build reputation and brand value and the respect of your customers. Make it part of your business strategy, not simply compliance.
Like customer satisfaction, with cybersecurity operational excellence is only as good as the visible commitment leadership brings to it. Protecting your business always starts at the top. Creating, maintaining, and regularly reviewing your governance structure is essential to keeping your information, communications, and assets safe.
And that’s good business.