Trust but Verify – The Journey to Optimal Cybersecurity

How Business Leaders Can Take Back Control of IT and Cybersecurity

Executive leaders need to TRUST BUT VERIFY when it comes to managing cybersecurity efforts.

CEOs should evaluate the current situation, define business objectives, and require a plan of action. But how?

Taking control of IT and cybersecurity is about mitigating business risk.

To effectively minimize your business cybersecurity risk, you need:

  • Executive control of business risk and cybersecurity
  • A mature IT Maturity Model to uncover the effectiveness of your security/ IT management processes
  • A definitive target for your security benchmark
  • A trusted but verified outsourced entity to independently assess your business
  • In short, executing technology decisions need to come from the C-suite

So, how do you get there? Read on, intrepid leader.

Overcome the “Tail Wagging the Dog Syndrome”

Generally speaking, CEOs take an active role in how their companies manage their operational departments:

  • Financial
  • Operations
  • Business Development
  • Marketing

Human Resources

Except for one: Information Technology.

There are many reasons why this is the case. Essentially, it all boils down to communication:

  • The Great Language Divide – CEO speak vs. IT speak.
  • The Technology Alphabet Soup – IT often talks in technical jargon.
  • Avoid at All Cost – Business leaders tend to avoid technical conversations.
  • One Person Can’t Know Everything – Lack of knowledge about effective management of IT operations.
  • How to Measure Success – Little or no metrics in evaluating effectiveness.
  • This results in the IT tail making siloed technology decisions which only leads to one path: no visibility from leadership.

Leadership’s Role in IT Strategy

Aligning IT/Cybersecurity through meaningful discussions can be easier than you think. An organization’s acceptable level of business risk should come down from the top. Too often, CEOs and business owners leave critical cybersecurity decisions to the IT technical staff. Rarely is there a business discussion at a high level to deal with current business risks due to cybercrime.

The conversation about cybersecurity should not devolve into a technical conversation. Instead, the discussion should be like other business functions such as accounting, sales, and marketing. For example, debits and credits would never be discussed in an annual budget meeting. ​​The discussion should be on the strategic direction of the company.

IT security should have high-level strategic business goals dictated from the top. These should be implemented tactically by the company specialists.

Asking the right questions will elevate these planning meetings to a strategic business level.

3 Questions to Assess the Current Situation

 

1.  If we’re attacked, how long would we be down?

  • Identify different aspects of your network such as email, file folders, website, etc. as the downtime for each may be different.
  • Would we have to roll back and reenter any of the information?
  • What are the steps to be taken once we know that we have been breached?

2.  Are our systems and software up to date and equipped to protect us?

  • Are there better products available today than the ones we have in place?
  • Are our applications updated for bugs and vulnerabilities?
  • Do we have any network equipment that is no longer under warranty?

3. Do we have a documented plan of action in case something happens?

  • If we have a plan of action, is it documented and immediately available?
  • Would we require outside resources to help get us back up and running?

What should the executive team expect to do during the downtime?

3 Business Objectives

1.Define the acceptable downtime in case of a cyber breach.

  • Set priorities for the different systems.
  • Identify any manual or other workarounds during the downtime recovery process.
  • Understand the financial implications of downtime.

2.Prioritize the criticality of your business information.

  • Be sure that the order of the system recoveries is prioritized.
  • Identify what information needs the highest level of protection.
  • Is any critical data temporarily exposed during the recovery process?

3.Define acceptable liability to employees, vendors, and customers.

  • Understand what the impact of a breach might be to your supply chain.
  • Is any private personal information vulnerable to be stolen?
  • Have a clear plan for communicating the breach?

3 Next Steps

1.Vulnerability Assessment – Identify gaps and an improvement plan.

  • Should this be conducted by an independent unbiased third party?
  • Do we have the time, expertise, and resources to do this?
  • What documentation will come out of this assessment?

2.Security Incident Plan – Document policies and procedures in the event of an incident.

  • Are there industry guidelines and procedures that we can follow?
  • What people besides the IT department need to have roles in the plan?
  • How is this plan updated and tested?

3.Roadmap for Improvement – Develop milestones and quarterly goals.

  • Ask for realistic timelines for implementation of the recommendations.
  • Have a regular cadence of meetings for accountability and roadblocks.
  • Dovetail the plan with a budget.
    Step 1 to taking back control is a Vulnerability Assessment performed by a trusted outside IT Provider.

Talk to a technology expert when you’re ready and take a look at some of the things we typically uncover when we conduct a Vulnerability Assessment

Published On: December 22, 2022Categories: Cybersecurity, Managed IT Services, Strategy