Cybersecurity is getting a lot more attention these days, even if it is not all the attention it deserves.  (Did you know that breaches are still increasing faster than spending on cybersecurity?  Some of the best data in this space comes from the federal government – here’s a good synopsis:  Federal Cybersecurity Breaches Mount Despite Increased Spending.)

Because of this increased focus, I find myself spending a lot more time these days working with business leaders on companies’ cybersecurity programs.  As I study the ways businesses are addressing cybersecurity, the essential components of a meaningful program have really crystallized for me.  It seems timely to share some of what I have observed.

I have identified several common characteristics among mature cybersecurity organizations, and those characteristics are also notably absent in less mature groups.  I plan to spend a few posts looking at what seems to be working in Cybersecurity.

Cybersecurity must be Strategic

We all know those IT Professionals who spend their days immersed in technology and rarely come up for air. They are the people we want on the job when detailed understanding of complex systems is needed.  But we also know how hard it can be for those technologists to communicate the business value of the initiatives they work on and we certainly cannot put these folks in the boardroom to help leadership understand why investment in cybersecurity is the right thing for our businesses to do.

In larger and more mature companies, this problem is solved by having a Chief Information Security Officer (CISO).  A good CISO is a senior leader who has a clear understanding of a company’s business and how to view technology risks through a business leader’s lens, but also understands how to effectively secure technology so they can hold their team accountable for managing those technology risks.

As an organization’s cybersecurity strategist, the CISO is responsible identifying the risks and prioritizing the mitigation efforts, as well as winning sponsorship from the business for making resources available for keeping the business safe.  It can sometimes be difficult for CISOs to garner the needed sponsorship among company leaders.  When this is the case, the ineffective CISO usually translates to an ineffective Cybersecurity Program.

It is also noteworthy that most organizations elevate a cybersecurity leader to be a peer to the CIO and reporting to the CEO.  This is a good indication that senior management understands the importance of security and is committed to protection from breaches.  This especially seems to help in avoiding budgetary conflicts of interest that sometimes lead to corner-cutting on cybersecurity.  It also brings about the opportunity for consensus through conflict when IT and IS are forced to find common ground, which almost always seems to strengthen an organization’s security posture.

My Company is too small for a CISO

I work with companies of just about every size.  Leaders in small and mid-size businesses wear a lot of hats to make their businesses work.  However, being effective as a CISO requires specialized training and experience that would be difficult or impossible to master with only part-time attention to the craft.  So what should SMBs do?  Outsource, of course.

There are generally two types of Cybersecurity experts for hire… consultants and managed security providers.  They both have their places – I see companies forge successful partnerships with consultants when they have projects with a tightly defined scope.  On the other hand, for shaping an effective Cybersecurity program and continuously assessing it and aligning it with business priorities, people often sign contracts for recurring effort from a managed security provider.

Building a Cybersecurity program with the part-time help of full-time experts is a great way to put an appropriate emphasis on managing risk without hiring, retaining and training a very costly employee.  Contact me if I can help you select (a) partner(s) for building a cybersecurity strategy at your company.

My conclusion is that in order to be successful managing technology risk, a company must see cybersecurity as a strategic part of doing business.  Is cybersecurity strategic for your business?  If not, why not?