The Evolution of the Security Team
Over the last few years there’s been a broad attempt to elevate the importance of cyber security at the board level in large public and private companies. These behemoths typically serviced by Big 4 consultants (Deloitte, PwC etc.) have the resources and planning infrastructure to recognise the need to evolve.
This has a trickle down effect, and as such in 2020 many business owners and directors are well aware of the cyber agenda. Whilst they understand the importance of cyber, one of the biggest challenges for security professionals is translating that knowledge into an actionable appreciation for what it actually means to the business.
At many companies, the cyber security team exists only in the IT support department or as part of a support contract with an external supplier. This is often an unfocussed collection of technical, operational compliance professionals, who may or may not prioritise security, and probably don’t think strategically around the topic.
So how do SME business owners and directors ensure that Cyber receives the correct prioritisation? The board level buy in is key, in the absence of a Chief Information Security Officer (CISO) someone at board level has to take responsibility for championing the cyber security of the business. This leader needs to understand and partner with the operational management to visualise and implement strategic cyber secure thinking into the company’s own operational priorities (goal congruence). Another critical security focus needs to be regulatory compliance (key in certain sectors such as financial services and healthcare), here efficiency of time and expense is critical.
In order to achieve this integrated strategic function the leaders of security teams need to ensure they are not isolated and get off their own island, listen to different perspectives, and communicate more with business heads about what the organisation really needs to worry about.
In many instances relying on a trusted IT support company can be an easy and complacent choice, traditional support companies are rarely cyber experts, and may need to be challenged on best practice from time to time. For companies that are undergoing a digital transformation — which is most of them — the cyber security team should look to insert itself into the middle of those conversations from a strategic perspective and present themselves as the connective tissue between the business, digital, and security.
The goal of security should be to facilitate the main corporate goals, the two are the same. Identify the type of data the business is planning to place on the cloud. Understand the type of interactions that will be required between the development and production environments; then map those expectations within the security plan.
Security should work very closely to ensure that communication is clear and that messaging is consistent and positive. ensuring the buy in of the company is key to success. Leaders of security should aim to stay close to the customer experience to discover how decisions impact clients/customers, again messaging to clients and customers around security instils confidence and should anything bad happen you will have demonstrated a commitment to best practice and corporate responsibility.