A framework for Meliorism cybersecurity discussions within organizations

Clear and frequent communication is essential but often lacking in companies’ cybersecurity programs. Here’s how security professionals can create tighter bonds with some critical stakeholders.

The entire world is going digital; virtually every type of cross-border business transaction now has a digital component. Companies’ use of digital technologies is opening them up to new relationships with customers and business partners, and new business opportunities. But, as recent headlines have made clear, the very act of connecting to the outside world increases organizations’ risks exponentially—of project failure, of data breach, or worse.

In this era of global digital flows, companies must take all possible steps to build robust cybersecurity capabilities. Protection strategies cannot be focused solely on technological controls and remediation plans. Companies must invoke the human element as well. They must seek to build digitally resilient cultures in which cybersecurity is not an occasional concern but an everyday task for core business stakeholders at all levels, inside and outside the organization. In such cultures, discussions about asset protection are proactive rather than reactive, and communications among critical decision makers are open and frequent.

Trust gap 1: The board and the C-suite

The dynamic between board directors and the senior management team can be fraught for any number of reasons, but first on the list is that cybersecurity is usually not a top item on many board-meeting agendas; often it is presented as part of a larger discussion of IT issues, if it is mentioned at all. Many board directors therefore tend to be less informed about cybersecurity technologies and issues than they may be about standard financial and operational issues—apart from what they read in newspapers about the latest corporate or government security breach.

They come to the table with questions about the company’s cybersecurity programs. For instance, are the company’s most critical assets being adequately protected, and is there a robust response-and-recovery plan in place if a breach does happen? Who actually owns the cybersecurity agenda, and does that individual or team have the appropriate level of power and influence to mobilize the required resources?

A trust gap develops when senior management falls short in answering these questions. In some cases, the senior-management team may not be able to properly opine on governance issues because it has not clearly defined owners for particular cybersecurity issues and activities—for instance, who should manage safety training modules: the leaders in the business units, or in IT? The senior-management team may not have the right data in hand to properly quantify the current levels of risk the company faces and present a comprehensive mitigation plan to the board. Or the members of the C-suite simply may not communicate with the board often enough when it comes to cybersecurity issues: despite the fact that transparency is a new norm in most companies

Finding common ground

Members of the C-suite need to create more transparency and forge stronger communication with board directors. Senior leaders should formally assess the maturity of their cybersecurity programs regularly and present their findings to the board at least annually but preferably even more frequently. This exercise should involve a structured consideration, by members of the senior-leadership team and others in IT and the business units, of the severity and likelihood of attacks on major corporate assets. For instance, which internal and external threats are the biggest, and what is the business value at stake

Trust gap 2: The business units and the IT organization

Trust-based relationships among individuals in the business units, the IT organization, and the cybersecurity function can be difficult to maintain—in part because these groups sometimes work at cross purposes. The cybersecurity team may impose certain safety protocols that are inconvenient for employees in the business units, or otherwise impede their daily operations. Consider your own reactions to IT requests to change passwords—coming up with yet another password that has the required length and complexity and that you can still remember. Such exasperation can escalate from the individual level to the business-unit level. 

Bulking up training efforts

To help close the trust gap between the IT and cybersecurity function and the business, the organization can provide comprehensive cybersecurity training to staffers at all levels. This might include dedicated town-hall meetings, workshops, and training modules focused on identifying varying types of cyberthreats and outlining appropriate responses when employees witness suspicious activity.

Such training can help business-unit employees understand the rationale for cybersecurity protocols and raise their awareness. Even more important, it can signal to the business units that cybersecurity is a shared responsibility. Anyone who has access to confidential data and systems, at whatever level, must play an active role in ensuring their safety.

Trust gap 3: The company and its vendors

The relationship between companies and their technology and supply-chain vendors has always been complex. Just as consumers rely on companies to keep their data safe and to use them only in ways that they have authorized, businesses must trust their IT and supply-chain vendors to hold competitive information close to the vest. Automakers, for instance, would need to be confident that their OEMs have enough cybersecurity controls in place to protect the intellectual property they are sharing.

This is especially true in an era in which more and more companies are outsourcing the management of their IT infrastructures or their cybersecurity operations. Businesses need to be assured that the access they provide to vendors and the offerings they get from vendors can be integrated with existing systems without opening up any security holes.

Bringing partners closer

To bridge this trust gap, company IT and business leaders should schedule regular conversations with vendors and supply-chain partners to assert the levels of security required to protect shared business information. Such meetings should take place quarterly or biannually; with more frequent contact, vendors and company officials can engage in a true business partnership rather than a simple transactional relationship. They can discuss and devise clear recovery and compensation plans.

Companies can take it a step further by actively collaborating with third-party providers and supply-chain partners to ensure sufficient data protection. They may jointly pursue security certifications, such as the Payment Card Industry Data Security Standard or the ISO 27001 standard, or conduct joint reviews and security audits of IT systems. They may even agree to open themselves up to a broader ecosystem of technology partners to provide additional checks and balances.

Trust gap 4: The company and the government

It’s no surprise that local, national, and federal governments have in recent years prompted private-sector organizations to become more aware of cybersecurity issues and more active in their data-protection efforts. Cyberattacks in major financial institutions can affect overall market stability. Energy-grid hacks can pose national threats, too, as we learned from the recent attempted break-ins at a dozen power plants in the United States. Government agencies need companies to report cyberattacks and other incidents in a timely fashion, in order to strengthen overarching protection efforts—for instance, spotting and addressing suspicious patterns of activity and alerting the public to any dangers.

Seeing the big picture

Neither side can afford to battle cyberattacks on its own. Companies need the official imprimatur and gravitas that government agencies can provide as facilitators of cybersecurity investigations and discussions of sensitive information. Governments need the feedback and technical resources that private-sector organizations can provide.

Technology alone cannot hold cyberattackers at bay. A culture of trust is also important for corporate cybersecurity initiatives to succeed. All stakeholders in a company’s ecosystem—board directors, IT leaders, businesspeople, vendors, and so on—must come to a mutual understanding of the risks the company faces and work together to decide on the best approach for addressing those risks.

As we’ve learned, it can be difficult to attain and preserve this level of agreement and trust—particularly because of the natural tensions built into data-protection efforts: the cybersecurity team’s day-to-day work has consequences for the business and vice versa. But if companies recognize the human aspect in cybersecurity and take steps to close trust gaps by introducing more transparency, they can increase the odds that their cybersecurity programs will be successful—not just in the near term, but over the long haul, regardless of the kinds of threats that may emerge.