Breaking Down Barriers: Cybersecurity Across the Wider Business
Cybersecurity is now a key priority across organisations, not just for IT departments and other specialists. The entire company needs to ensure and enhance collaboration and information-sharing among key stakeholders in order to heighten its cybersecurity posture.
Jacky Fox, European lead for security at Accenture, said there are usually four constituents that can help an organisation become more cyber-resilient. First, in larger organisations the board has ultimate responsibility. Then there are employees who ‘own’ processes or data in the business – such as business unit leaders – who are “basically the consumers of the cybersecurity service that you’re going to offer”.
Third are the employees who provide the cyber service under the IT umbrella. Finally, there is “a new kind of breed of employees who sit in organisation to provide risk and resilience … they tend to keep themselves slightly separate from cybersecurity”, she noted.
Challenging, But Essential
It can be a challenge to ensure collaboration across these various stakeholders, Fox said. However, if the security aspect is brought to the table too late, things are much more expensive to secure, she said, “so business and security need to be joined at the hip.”
There is also a communications aspect to consider, Fox noted. The different elements within the organisation need to be able to understand each other. It is also “important that the message from people in security isn’t filtered several times before it lands up to the people who need to hear it, which is often a problem where information is diluted as it goes up the line.”
Jim Boehm, a partner in McKinsey’s digital and cybersecurity practices and cybersecurity lead for Europe, said the C-Suite sets the tone in most organisations, with business unit leads and product owners being the most operationally important people outside of infosec teams themselves.
“When you're talking about increasing communication and collaboration, the C-Suite really needs to be the one to broker the conversation among the business unit leads about including security and resilience and risk management as a key part of the value proposition in their business unit area,” he said. “Then that trickles down into the product owners, who are the ones that are charting the technology, capability building and maintenance operations and maintenance roadmaps.”
Failing to Collaborate Causes Risks
There are many risks if companies fail to sustain the right levels of collaboration and cooperation, he said. The root cause of such risks is usually that a gap has emerged, either in terms of a testing gap or a technical vulnerability.
“When people aren't collaborating and aren’t working together, then they're not going to be aware,” Boehm warned.
Collaboration is essential for different reasons, he said. It provides a chance for security and risk-focused teams to shape the case for the importance of these priorities. It gives them a chance to build capabilities across technology teams in the business.
Additionally, it provides risk and security teams with the chance to demonstrate what ‘good’ looks like, “so that technology teams and business unit teams have an example in their heads of what is entailed by thinking and acting in a secure way”.
The size of the organisation has clear implications for such collaboration. There is a “sweet spot”, said Boehm.
If a company is too small, it perhaps could not afford the tools and capabilities it needs to provide a fully secure environment, he said, though he added that there are a range of cloud-native and other services they can access to support them.
Large companies have a complexity problem, he said, given the number of employees and departments etc they often have.
Looking for more infosecurity & cybersecurity insights?
Be part of Europe’s largest information security event, Infosecurity Europe 2023 on 20-22 June, at ExCeL, London. Register for your complimentary ticket to attend the event.
It is somewhat easier for companies somewhere in the middle, perhaps with $100 million-$500 million in revenue, he said, “where you have enough money to be able to procure the tools and professionals you need, but not so large that there’s a huge amount of complexity.”
Fox said much depends on the personalities involved and the knowledge that each person has of their role in the organisation. “Sometimes I see that working really well in small organisations and sometimes really well in big organisations.”
However, it can be more complex in larger organisations, she added. It is important to develop the right responsible, accountable, consulted and informed (RACI) model, she said, and this is “more likely to be fuzzy in a big organisation. That’s where we start to see the problems.”
CISOs Working with Various Stakeholders
Jake Olcott, VP of government affairs at BitSight, said cybersecurity now touches on so many areas of organisations that it requires security leaders to work with a variety of stakeholders.
For example, he said that security leaders will need to engage with individual business unit managers to understand potential intellectual property or data exposure that could come from vendor engagements or new business developments.
“Security leaders are often involved when enterprise risk and finance teams evaluate cyber insurance coverage,” he added. “Given their cyber risk oversight responsibilities, the CEO and board of directors now work closely with security leaders to collect metrics, evaluate programme performance, benchmark against peers, and stay up-to-date on risks and trends.”
However, the process can be challenging, he noted.
“Many business leaders still feel uncomfortable discussing cybersecurity. Conversations can easily become very technical. It is critical for security leaders to speak in natural language and utilise metrics and measurements that enable effective communication.”
A failure to communicate and collaborate effectively can result in misplaced priorities, improper budgeting and wasted resources, Olcott warned.
“Teams that don’t work together to properly identify material cyber risk, resource those priorities, and measure remediation efforts will not be successful,” he said. “Security leaders should focus on managing risk. It’s not about saying ‘no’ to everything, it’s about understanding the mission of the business and working collaboratively to remediate risk.”
Fox said there are a number of approaches that work well to build collaboration. She pointed to organisations where the CISO is given the appropriate authority to influence the business and is able to provide their input early on.
She said that it is vital both that security specialists understand the business strategy and objectives and that the business fully understands the risks that security is raising. “At the end of the day, if there's no business, there's no security group.”
Enjoy this article? Make sure to share it!
Keep up to date with the latest infosecurity news and trends in our latest articles.
Receive monthly newsletters and updates about key events and news from Infosecurity Europe.
Looking for something else?