Your CTO is Not an Assistant

Long-time readers of this newsletter may have heard me mention youth basketball once or twice.

Okay, four times previously (one, two, three, four), with one more coming your way right now.

But here’s the thing … I LOVE youth basketball.

I LOVE being at practice – helping the kids improve their game.

I LOVE coaching – helping the team perform at its absolute best.

I LOVE interacting with parents – asking multiple times if their child will be there; changing the line-up five minutes before the start of a game when a kid doesn’t show up; canceling games because we don’t have enough players.

Okay, I love two out of three of these things. Youth basketball practice and coaching, yes. Youth basketball administration … no way!

But there’s no getting around it. This season, I am coaching two teams – 5/6th grade girls and 7/8th grade boys (not coincidentally, I have children who are those exact same ages) – and for some reason the parents this year are unresponsive.

Part of the problem is that each team has its own dedicated app for managing its schedule (my wife and I have five apps between us for kid sports alone). So people lose track, forget to respond, blah, blah, blah.

It’s annoying (can you tell?), but it’s the price of admission. Like it or not, if you want to coach youth sports, you need to deal with the administrivia that comes with it.

As it turns out, running a cybersecurity program also requires a fair amount of administration. That means keeping track of things like:

• Who are your vendors; how are they performing?
• Were your employees off-boarded properly?
• Did you run background checks for new employees?
• Did you send out the cybersecurity training?
• Have you checked to see who is enabled in your systems?
• Has that contractor been taken off the account he is no longer working on?
• Is MFA turned on for system X, Y, or Z?

At its core, cybersecurity is information-based. And while doing it well requires a fair amount of high-level skills and strategic thinking, the bulk of the day-to-day work is administrative – up-to-date documentation and a commitment to process are essential.?

The Right Person for the Job

But who should be responsible for overseeing all this? Giving it to the CTO may seem logical … after all, they are the most senior tech person in the company. But doing so is a mistake.

Yes, this person has a strong commitment to and interest in the organization’s cybersecurity. But they are too busy – and, frankly, too expensive – to get involved in the laundry list of things mentioned above. They are focused on the technology and given their limited bandwidth, they will do the things that make the best use of their time (hint: it’s not administration).

A much better solution is to give it to your company’s “organizational hub.” I bet you have someone like this. It’s the person who, while not an expert in technology, is an expert in the company itself. The person who knows all the players, all the interconnections, and all the ins and outs of how things work.?

Give them responsibility for documenting, tracking, and overseeing all the day-to-day elements of your cybersecurity program. They don’t need to be “basketball” experts … they just need to be really, really good at keeping the wheels turning.?

Will the CTO object? Not likely. In all the conversations I’ve had with CTOs over the years, not one of them has ever said, “Rob, I love performing the administrative parts of my cybersecurity program.” In my experience, these folks are relieved to hand off the admin stuff to someone else.

One last thing. I’ve worked with all kinds of organizations over the years – different sizes, different industries, different corporate cultures.?

Each is unique in how it operates. But there is one rule that seems to apply across the board: If the cybersecurity administration is left in the hands of the CTO or other senior leader, that organization does not have a good cybersecurity program. It’s just not a match that works.

Gotta run. I’m one player short for tonight’s game and I’ve got some calls to make!

Want to get great cybersecurity content delivered to your inbox??Click here?to sign up for our monthly newsletter, Tales from the Click.

This article originally appeared on the Fractional CISO blog.