Introduction
A shift has occurred in the bastion of corporate hierarchy in the last few decades that has fundamentally changed how organizations operate. This shift started about sixteen years ago in 1994 with Citibank/Citigroup. After suffering a cybersecurity incident, they created the role of Chief Information Security Officer (CISO); a role which has only grown in prominence since. It’s common today to see even small, privately owned, organizations feature a CISO or similar role on their executive team.
Along with the growing presence of both executive and non-executive cybersecurity professionals, there has been an interesting dynamic introduced to the corporate environment. Instead of just dealing with the complexities of maintaining a technical environment; organizations are realizing they also need to contend with the security of them as well.
Unfortunately, many organizations have not taken the requisite steps to properly integrate cybersecurity into their general operations.
Why it matters
Most professionals understand the importance of centralizing the mission of the corporation throughout all departments and initiatives. It’s a common component of most, if not all, business programs and is driven home time and time again. This message does not always translate to the Security or Information Technology (IT) teams, however. Even in the face of an ever-shifting technological landscape plagued with breaches and attacks, organizations regularly fail to appropriately consider the role cybersecurity plays in their business.
Security is the most effective when it has multiple layers and is included from the beginning. Much like any form of design or construction, it is significantly easier to add features at the beginning than after the project is completed. Trying to shoehorn security components into existing systems or processes is both difficult and often costly, requiring significant buy-in from the organization to accomplish effectively.
Failing to include security at the beginning of projects can also lead to acquiring or building systems that have fundamental security issues. This includes things like contracting with a vendor that does not practice due diligence or purchasing software with technical issues that may be exploitable by malicious third parties.
What you can do
Not all companies can afford, or even support a new executive-level security member or advanced security program. That does not mean that they can afford to leave cybersecurity out of the conversation. Instead of trying to rework your entire company or hire new leadership, organizations can instead utilize alternative solutions to accomplish similar effects. These solutions can be used either independently, or in concert, with each other to help facilitate meaningful collaboration between leadership, delivery teams, and security. The solutions below aim to be relatively inexpensive and as simple as possible.
Change Advisory Boards
Having a Change Advisory Board (CAB) is highly recommended for any organization. The CAB provides an additional layer of protection regarding changes to critical infrastructure, software, or overall business operations. Including cybersecurity here is an easy way to give them broad access to core projects without creating significant process changes. This group should include leaders from other departments to provide a robust knowledge base. The CAB should have insight into core projects and changes that may impact operations or security.
Regular announcements
Along with, or in some cases in-place of, CAB meetings it is strongly encouraged to produce regular announcements about major changes, upgrades, et cetera. This provides staff exposure to new ideas, process changes and technology while providing a forum to get input from those that will be affected by these changes. These announcements can also be paired with more informal meetings or townhalls to further socialize changes within the organization while receiving feedback.
Email distribution lists
Creating email distribution lists about important topics or roles, such as incident response, that includes key stakeholders is another way to facilitate discussion without significant time or financial investments. These can be combined with existing tools such as ticketing systems to make sure technical teams get the information they need and an appropriate venue to voice concerns or suggestions. This last solution is not the most effective solution, but it is the easiest and cheapest; primarily useful for small organizations that do not need excessive formality in information distribution.
Conclusion
It is important for organizations to include all key stakeholders in their business decisions even when they may not directly influence the end-product. Whether you provide a service or a product, security personnel need to be included in the discussion. It is much easier to embed security during the initial stages of a project or product compared to attempting to retroactively apply it. Proactive security helps reduce costs and improves overall functionality and operational alignments.
Ultimately, the goal is to eliminate silos by creating a culture of communication and collaboration across the organization. Creating processes or platforms for cybersecurity or IT professionals to engage with, and advise on, new projects is a critical step that must be taken to truly move towards a mature and effective security program.
