As business leaders, it’s easy to think about cybersecurity (and all of IT risk management, for that matter) as something that the “IT people” should just handle for you. If you’re part of a large organization, maybe you have a CISO that you’ve designated as “ultimately accountable” for information security in your company. If you have a smaller business or organization, it’s possible that you think that your IT manager (or maybe even your provider) is supposed to take care of it all.
Large enterprise or small company, the thought process is the same, and it’s incorrect in both cases.
It’s important to recognize that regardless of what role IT plays in your business, it is still part of your business. And as such, you should manage the risks associated with it the same way you manage other business risks. Just because the language associated with cybersecurity and IT risk management can quickly become technical doesn’t excuse you from understanding it enough to be sure it’s being managed appropriately. In fact, you should hold your CISO or IT manager accountable for explaining things in a way to which you can relate.
If you wouldn’t trust that person to write a (fill in the blank with your personal number here) dollar check for your company without authorization, why would you trust them to accept that same amount of risk without some oversight and validation?
So, with that in mind, below are three things that business leaders should consider:
What data or systems truly matter to your business? McGeorge Bundy, former US National Security Advisor to presidents Kennedy and Johnson, said that “If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.” You probably can’t afford to protect every piece of data in your organization, and even if you could, you shouldn’t. Some information can be freely disclosed with no adverse impact, and you can probably tolerate extensive downtime in some systems without crippling your business. On the other hand, there is probably some information that absolutely should not be disclosed or modified inappropriately, as well as some systems that you really don’t want to be unavailable. And, there will be a bunch of stuff in the middle of those two extremes.
You and your CISO (or IT manager) need to get on the same page about what things in your business are diamonds and what are toothbrushes, and what level of resources you should invest in protecting each. This is not a technical discussion, it’s a business one.
What is your risk appetite? It’s not reasonable to hire a CISO and say “it’s your job to make sure we don’t get hacked.” That’s like telling your HR person that it’s their job to make sure none of your employees ever do anything inappropriate, or your CFO that they are solely accountable for keeping you from losing money. Determining what risks to accept and what level of investment to make in mitigating risks is a business decision that you can’t just hand over to your CISO. A much more appropriate approach would be to set the expectation that the CISO educate you on the applicable risks in a manner that sets the correct business context so that you can together determine your organization’s risk appetite.
How can you equip your entire organization to manage IT risk appropriately? Many organizations trust their employees with a lot of power to make decisions. That makes good sense – pushing decisions down to an appropriate level is often the most effective and efficient approach. However, that is only true if those individuals trusted with decisions are educated to make those decisions in a manner consistent with your business objectives and constraints. And, as we’ve established, those business considerations should include your approach to IT risk management. All employees need to understand what information is important to your business, how much risk they can accept on your organization’s behalf, and under what conditions such decisions must be escalated.
Very few employees want to consciously put your organization at risk, and that small subset is the topic of another discussion. Make sure you equip the ones who want to do the right things with the necessary knowledge and context.
These three simple steps, if taken seriously, are virtually guaranteed to improve your security posture. Just as importantly, they will establish the business framework within which you and your CISO or IT manager can have productive discussions about appropriately mitigating IT risk.