As this is our first blog entry, we wanted to write about a topic that aligns with our overarching approach to helping companies at every stage in their Information and Cyber Security journey. What better place to start than taking a view from the top?
Business leaders have a vital role to play in impacting the organisation’s security programme. We’ve outlined below some practical pointers that can help drive a good Information and Cyber Security culture across your company or organisation.
- Create an effective route to the top
This doesn’t necessarily mean that the CISO (Chief Information Security Officer) has to sit on the board, nor does it mean that the CEO needs to have a second career as an information security consultant; but Information and Cyber Security should be strongly represented as part of ongoing corporate strategy and governance.
If you’re leading a small business, you might look at having a dotted line straight to the CEO who meets with the security leader regularly, perhaps monthly. This leader can be either internal or external and should drive the agenda for these meetings; all you need to do is listen.
If there’s already an obvious reporting line, ensure that all staff in that line are appropriately trained in information security (and risk) management.
- Remove conflicts of interest
Information security is everyone’s responsibility, but so often, it’s laid at the IT team’s door. Even if you focus solely on cyber security (the technical subsection of information security), it’s still unfair to put this on IT as they will always be subject to a conflict of interest where “Getting things working” often trumps “making things secure”.
You can help by taking away this conflict. Help them build a relationship with a capable and supportive security professional whose role is to properly communicate and orchestrate the management of, Information and Cyber Security risk within your business.
Along with this separation of roles and responsibilities, help your security leader create and – more importantly – ring-fence an Information and Cyber Security budget. This will have a huge impact on their ability to be proactive in supporting your business and its goals.
- Be supportive
Those responsible for security within your organisation should be communicating regularly within your business; namely with end-users, IT managers, and owners of information assets and systems. Some of these communications will be challenging.
It’s at these times that your security leader or team needs the right level of engagement from you. In many businesses, we’ve seen exactly the opposite happen. As soon as conflict arises, senior management bows to the pressures of the business and completely undermines what the security leader is trying to achieve. Try to avoid this; this doesn’t necessarily mean an “at all costs” endorsement every time a challenging situation arises, but if your business knows that as a business leader, the security team “has your ear”, then over time, this will help to oil the wheels of the Information and Cyber Security wagon.
This should be a win-win for you, as any good information security leader will have aligned their work with the organisation’s goals, and as a major stakeholder, will have consulted you in doing so. All you need to do is reinforce that position.
- Welcome challenges
Whether you’re CEO or part of the reporting line responsible for Information and Cyber Security, always welcome bad news. All too often, we see situations where someone genuinely believes it is more appropriate to mask a situation than to escalate it or discuss it openly.
Being a supportive leader for your security team is an absolute must. It’s the only way to drive the right security culture and the only way to get the right results in a discipline where poor leadership can cripple your business.
Leadership plays a critical part in the management of Information and Cyber Security risk, and every leader in the business needs to play their part. If you’ve found this article helpful or if there’s anything you would like to discuss, then please get in touch via direct message or our website at www.cyberlens.com/contact .