Part of an organization’s IT leadership and consultant’s responsibility is to provide logical explanations of the threats and vulnerabilities that exist – not to mention their potential impact on confidentiality, integrity, and availability of operations. The C-Suite should want to hear about it; if they don’t, there’s a problem.
But it’s also important for the C-Suite and other stakeholders to fully understand the level of effort it takes for your team to mitigate and remediate threats and vulnerabilities so you can evaluate the need for action, such as realignment of staff or introduction of a 3rd party partnership.
While I’ve heard many c-suite executives tell me “I’m just not technical,” I’ve also seen one hour meetings turn into two because the CEO wanted details. The results of a penetration test, for example. I’ve even seen a CEO or two probe for answers to questions we already spent time talking through with the CIO and IT leadership. It was healthy, valuable conversation, and resulted in an actionable plan that quickly improved the cyber security posture of the organization.
As more and more organizations are starting to take this approach. I’d like to offer a few points to think about that I’ve seen stifle the process if not considered.
Pride of Ownership
This can be a touchy subject. The average IT department staff not only invests a lot of time and effort into the systems and platforms they manage, but they also take pride in their work. In some cases, so much pride that it’s not uncommon to hear a network administrator or engineer refer to their company’s infrastructure as, “my server” or “my firewall.” So, when suddenly these systems come under review internally or when a 3rd party is being brought in to test systems unannounced — with very little discussion around the “why” — a certain level of fear and frustration can begin to naturally impede the success of the overall project.
Start with Why
When there is open communication around the “why” and the goals of such a project, it can go from fears of “my job is in jeopardy” to “we’re getting some reinforcements to help mature our posture.” This change in mindset can be a huge asset to your organization. Therefore, the C-Suite should focus on communicating the “why” in order to strengthen the value of their cyber security strategy.
An exception would be an organization that has established a mature cyber program. It’s likely reached the point at which an unannounced approach to test the team’s response to malicious operations being carried out against the organization is needed. Organizations that participate in these exercises regularly can grow accustomed to this type of testing and in most cases, welcome the improved cyber security posture and learning opportunities testing and partnerships provide.
This type of healthy environment is driven from the C-Suite. After all, they have the ability to set the tone for how things such as pride of ownership is addressed with IT staff. Giving your organization a glimpse of the bigger picture can make for a more engaged team but also a stronger, more resilient cyber security posture for your organization.