Change is hard
We’ve all been there. You’re fired up to champion that big initiative that’s going to make all the difference, only to be met with fierce resistance across the organization. The root cause? Change.
Change is unknown. Change is disruptive. Change is expensive. Over time, comfort with the status quo drives a mantra of “move cautiously, reduce disruption, save money.”
Unfortunately, this approach doesn’t work when it comes to the enterprise security posture.
Digital transformation has meant that maintaining a robust security posture has become imperative. With breaches in the news every day, the adversary is not resting. They are constantly refining existing tools and adding new ones to their arsenal. This means your intellectual property, your customer’s data, and your brand reputation is increasingly at risk. The combination of an increasingly digital business and a more sophisticated enemy means that change cannot be avoided.
Your mission, should you choose to accept it, is to drive transformation across a diverse, sometimes antagonistic, group of stakeholders who kinda like things the way they are. This mission will be difficult and frustrating, but the first step is to understand your colleagues and what is prompting their objections.
Empathize to understand
A high degree of organizational alignment requires a clear understanding of the role that the different individuals and departments in your organization play in influencing the security posture and how their actions – or inactions – contribute to the failure or success of your cybersecurity initiative. Your ultimate goal is to help everyone move beyond tactical issues and build a strategic framework that puts the enterprise security posture at the forefront.
Building alignment – one team at a time
The CIO typically plays a central role in sponsoring cybersecurity initiatives across the enterprise. Their primary objective is to help support innovation in the business, while controlling costs and managing risk. They are key to getting ongoing commitment and focus on the initiative, making it viable and durable over the long run. Too often, emphasizing the technical benefits is lost on executive teams focused on business risks and outcomes. Instead, it is important that you identify and quantify key factors such as:
- Measurable risk reduction and cyber-resilience improvements
- Enhancement in efficiency of security operations
- Visibility into the massive enterprise attack surface
EXECUTIVE STAFF and THE BOARD OF DIRECTORS
Educate your executives and board of directors about breach risk and get their buy-in that your overall objective is to reduce breach risk by improving cyber-resilience. Inform them about how the actions of the security team will result in business risk reduction outcomes, and how the security posture transformation project will tie into the goals of the company. It is also important to avoid getting into technical security KPIs and instead, talk about metrics around risk and resilience, such as expected time-to-failure, cost-of-failure and time-to-recover. For this non-technical audience, you want to answer three primary questions:
- Where is the organization on the cyber-risk spectrum?
- Where should we be on the cyber-risk spectrum?
- How can we get the organization to where it should be?
Enterprise CFOs understand the importance of cybersecurity initiatives because poorly managed cybersecurity is a material financial risk for an organization. Because CFOs speak in the language of numbers, be sure to build a quantified business case, while making estimates and assumptions when necessary. The CFO will want to know how the new project supports or replaces the various types of cybersecurity projects that the organization has already invested in and how much risk will be reduced. It is also important to enumerate the financial risk of not investing in the new initiative. For the CFO, quantify the:
- Cost of the new solution, including both capital expenditures and ongoing operational expenses
- Expected direct costs of a major breach incident such as brand/reputation damage, litigation and attorney fees, regulatory compliance fines etc.
- Indirect costs of a breach such as loss of IP, operational disruption etc.
- Any unnecessary expenses being eliminated as the result of the project
- How the problem will get worse in the future
5 Key takeaways
Here is what you need to consider and accomplish in order to achieve buy-in and attain results in your security posture transformation efforts:
- Build a strategic framework that supports communication and collaboration across your enterprise and key stakeholders.
- Obtain a strong commitment from your executive team, including budgeting and resources needed to support the initiative enterprise-wide.
- Identify contractual and legal requirements and ensure that the stakeholder teams are in lock-step when introducing new software or updating existing systems.
- Use the right language when communicating with the different teams – i.e use business and risk language with the execs, technical metrics with the security teams.
- Translate security posture transformation into a tangible roadmap with clearly defined strategic and tactical elements.
The bottom line
Increasingly, organizations and business leaders are recognizing that there is a need to transform the cybersecurity posture to combat the growing threat from adversaries. Driving positive change in your organization with cybersecurity posture transformation is Mission: Possible if you are able to gain strong sponsorship and buy-in for your initiative.
Balbix can help. Check out our CISO Guide on Elements of Security Posture Transformation here.