Cybersecurity Needs Your Attention
December. That magical time of year when so many conversations turn to…
… the pick and roll, great team defense, smart shot selection.
Of course, I am referring to the start of winter youth basketball season, a much anticipated annual happening here in the Black household.?
My son and daughter participate in fall and spring leagues too, but winter is when things really take shape. They play in our in-town league where I coach each of their teams and on their respective travel teams, in which they compete with other towns. Toss in weekly practices and that’s a lot of basketball.?
Just last Sunday, for example, my son had a town league practice, a town league game, and two travel league games! My 50-year-old body could barely survive one pick-up game these days. Oh, how awesome it is to be 13!
Sometimes, the kids have games at the same time… in different towns … in which I am coaching one of the teams. There have been days when I had to coach a game my own kid wasn’t even playing in!
As you can imagine, scheduling all of this is a major headache. A typical basketball-related conversation with my wife this time of year has a lot of, “you go here, then I’ll go there, then you pick him up and I’ll bring her to you…” I know we only have two kids, but sometimes, it sure seems like a lot more.
But you know what? We always make it work, because we have decided that basketball is a family priority. Whatever needs to happen, happens.?
Is Cybersecurity a Company Priority?
Like youth basketball, within a given organization, cybersecurity is also assigned (explicitly or implicitly) a degree of importance. Here as well, that assignment will determine what happens … and what doesn’t.
In some companies, cybersecurity is considered “important.” Not as important as bringing in revenue, servicing customers, or building product, of course. Those are always, appropriately, at the front of the line. But in some happy instances, cybersecurity lands in fourth place.
In other companies, cybersecurity doesn’t even break into the top 10 list of concerns. That’s problematic. Under those circumstances, it will be extremely difficult for internal programs to get any traction, leaving the company vulnerable to attack.
As for what establishes cybersecurity’s importance in an organization, the number one determinant is executive sponsorship by someone high up in the company. If this is not in place, almost nothing else matters. When an executive applies dollars and attention, team members modify their schedules and workloads as needed to keep things moving.
With that in mind, here are a few suggestions for maximizing the scheduling effectiveness of your cybersecurity program.
#1. Schedule a weekly cybersecurity meeting.
You’ll want to ensure the “right” folks are present. That typically includes a tech person, of course. But since so much of cybersecurity is program-related – training, policies, audits, etc. –you’ll also want some type of program or project manager present; someone who knows how to run things.
But don’t add people just for the sake of numbers. Too many people can lead to everyone assuming someone else is taking care of things.?
#2. Schedule a quarterly cybersecurity read-out with the executive team.
This should include a well-polished presentation with relevant data, a tightly-tuned message, and clearly laid out requests. (Share the requests beforehand so there are no surprises.)
Remember that executive support does not come with a “forever” stamp. You may only have the attention of this group for 30-45 minutes each quarter; you want to make sure leadership continues to believe your work is a good investment of company time and resources.
#3. Plan quarterly meetings with team members who do not need to participate regularly.
Cybersecurity touches all aspects of the organization. But not everyone needs to be part of your weekly meeting.
Instead, you can schedule quarterly meetings with, for example, HR representatives, “To review all employees who have been off-boarded for the quarter and make sure we followed the proper procedure.” Or with the head of your development team to, “Check in on your Secure Software Development Lifecycle (S-SDLC) progress.”
Just because you set up a cybersecurity program or procedure in the past, it doesn’t mean it is still happening. Maybe they forgot to do it. Maybe it got lost with a change in personnel. If you never check in with them, you’ll never know.
#4. Make sure meetings are well planned, include a sharp agenda, and any required follow-up occurs in a timely manner.
Believe it or not, there are some crazy people in the world who do not think cybersecurity is the most important thing. There is always a risk that some individuals will not take things seriously or avoid meetings entirely.
A detailed agenda distributed prior to the meeting with names, tasks, and deadlines will demonstrate that this is a real thing worthy of their attention. Show them you are not going to waste their time with something they are already not excited about.
Take Control
People are busy. They make choices and trade-offs all day long about what is and is not worth focusing on.?
Cybersecurity may never – okay, will never – be at the top of their list. But you can make sure it gets the attention it needs by scheduling these events into the regular workflow.
Now if you’ll excuse me, I need to see if I can figure out which of my kids’ games to attend tonight!?
Want to get great cybersecurity content delivered to your inbox??Click here?to sign up for our monthly newsletter, Tales from the Click.
This article originally appeared on the Fractional CISO blog.
Cybersecurity definitely needs to be a top priority, even if it’s not the #1 focus. Without the proper backing and attention, things will slip through the cracks. Securing executive sponsorship is crucial for getting the resources needed, and regular check-ins ensure it stays on leadership’s radar.
Even security businesses are businesses first, meaning priorities must support the business even when it's not security-related.