Cyber security practitioners seem to share a common approach
to compel executives to properly resource a security program.
“Well….security, that’s why.”
I see some version of that justification used frequently. A
fair question is how is that working? Does the security program have the resources
they need or at least intentional support by execs for a plan to get there? From
conversations that I have with peers leading cyber teams at other
organizations, not really.
The frequent reaction to that resource gap tends to be doubling
down on even more detailed technical explanation.
As if technical rationale they don't understand will change a non-technical exec’s
mind.
I was chatting online with a friend the other day and he
asked, “there are great execs out there, and if they focused a little more on
the technical implications, instead of some industry-process, things might be a
little more safe out there.”
After thinking for a second, I responded along the lines of,
“being a little more safe out there isn't what senior execs or boards care
about. They care about having people that they can talk to about what being a
little more safe means and how to get there.”.
Are we most often those people?
If your execs are more often swayed by some article in a C level magazine
than by their conversations with their security leadership, probably not.
What can we do to change that?
What the execs want to hear are those things
about our cyber security program that are or should be important to them. Not what is important to you. The
difference is subtle but key to successfully resourcing your program.
“Something important to them” beats “something important to you” every time.
What’s important to them? I can only guess as it varies by
organization. For most commercial
companies though, growing revenues, increasing partnerships, and attracting more
customers would be somewhere on that list.
If so, one example of resources might be related to working
towards certification of your data center. There are lots of good security reasons to do
so. Set those aside for a second. Perhaps a compelling rationale might involve connecting that resource
request to increasing the ability to attract large partners. Depending on your
partners, they might meet regulatory third party vendor security requirements when interacting
with our systems or just feel more confident about sharing their data with us. That might be compelling for the execs. See the
difference?
Another example might be increasing security headcount to
deal with operational tickets, This might be better framed as increasing the ability of other
team members to capability build. You could then demonstrate what the specific capabilities can bring
to the organization that reduce disruption to revenues. And so on.
There occasionally also might be more cost to take no action
than to do it. Any rational exec would clearly understand the compelling nature
of the request if your largest partner was reconsidering business relationships
with vendors (like your company) that aren’t PCI compliant. The cost of losing that business might be far
more than the cost of becoming compliant.
There are
countless gems waiting for you to find them in presentations and strategy discussions. You just need to ask.
So, it’s not about execs needing to be more technical, it’s
about security practitioners framing technical issues into compelling rationales
for execs…in which they clearly share some desired outcome. This means you
learning about the corporate strategy, your supply chain, the levers that other
execs are measured by (revenue? Partnerships? customer count? etc.), and
everything else.
Knowing those things are the path to security success
anyway. And the path to more successful conversations that might lead to the
resources that you need.
There’s your homework assignment. Any questions?
Follow me on Twitter for discussion and the latest blog
updates: @Opinionatedsec1. Or, start your own discussion using
#crazygoodcyberteams on twitter or Linkedin and I'll read it.
SEE ALSO
The Magical Malware Deception
The Ransomware Popular Opinion Quandary
No comments:
Post a Comment