How do you know if your cybersecurity program is truly working? That’s the million-dollar (or for most businesses, the tens-of-thousands of dollar) question. And, if you’re lucky enough to be able to dedicate resources to your organization’s cybersecurity program, this is an important question to answer.
As good corporate citizens, we owe it to our organizations to make sure the time, energy, and resources that the company has elected to invest in cybersecurity are making a positive impact and delivering the desired improvements in cybersecurity posture and risk reduction.
The Pickle We Get Into When Discussing Cybersecurity Compliance
As you seek to communicate with your executive team about progress that’s been made, there’s an important caveat to keep in mind: Compliance shouldn’t be the driving factor when it comes to evaluating the effectiveness of your cybersecurity program. Compliance with applicable regulations is a necessary outcome of any organization’s cybersecurity efforts, but it should not be the main reason that the organization is undertaking security initiatives.
A good way to explain this to a non-cyber savvy executive is to use the analogy of the cucumber and the pickle. All pickles are cucumbers, but not all cucumbers are pickles. In the same way, an effective cybersecurity program ensures compliance, but just because you’re compliant doesn’t mean you’re managing cybersecurity risks to an acceptable level.
Here’s the problem with using compliance as the primary gauge for measuring effectiveness of your cybersecurity program: When business leaders hear the company is “compliant,” they’ll think there’s nothing to worry about and that there’s nothing else to do. In essence, they will perceive that the race has been run and the finish line has been reached. Their tendency is then to assume that attention (and, in many cases, resources) can be redirected because the goal was achieved. However, experienced cybersecurity leaders know that effective cybersecurity is really about managing risk, and, if we manage our risks properly, we will ultimately be compliant.
Use Compliance as a Conversation Starter, Not the Final Answer
So, how do we avoid the pickle (pun intended) of making cybersecurity all about compliance? We must shift the conversation towards talking about cybersecurity risk management comprehensively and avoid allowing compliance with regulations to be the main topic of discussion. As a CISO, I always believed that my primary objective was to advise and educate my company’s leadership team and board on the cybersecurity risks facing our organization, and then to help them make well-informed decisions about managing those risks by arming them with relevant information. While doing so, I tried to remain mindful that there are often business factors outside of my own purview that a C-level executive must consider when evaluating the proper cybersecurity response. Therefore, regardless of whether the company ultimately chose to pursue my recommended course of action, as long as I was confident that they had made a fully-informed decision, I was comfortable that I had done my job.
With this approach in mind, when speaking about cybersecurity, highlight the potential risks that you’ve identified and describe how they tie into your organization’s ability to achieve its objectives (i.e. align cybersecurity priorities with company priorities). Continue to educate business leaders on the role employees play in protecting your organization from a cyber-attack. Even when you do achieve the compliance milestones in your industry, continue to remind key stakeholders that the company cannot ease up on its cybersecurity posture. Regardless of an organization’s compliance status, cybersecurity threats and attacks evolve, new vulnerabilities are uncovered in existing software, and employees continue to do what all humans do—make mistakes. As a result, the organization is always at risk and will always have to dedicate attention and efforts toward cybersecurity in order to make sure its customers, business partners, and employees have full confidence that their information is adequately protected.
When the topic of cybersecurity arises, executives will naturally gravitate towards a discussion about compliance because it is easier to grasp than the sometimes-nebulous idea of cybersecurity risk. But, when this happens, security leaders will be more effective if they can guide their executive team into the proper mindset, visualizing cybersecurity as simply another business risk that must be regularly and consistently evaluated and managed. When the focus of the conversation is cybersecurity risk management, compliance becomes a natural by-product and casually-recognized milestone in a well-functioning cybersecurity risk management program.
Our team at LBMC Information Security can equip you with the tools and resources you need to effectively communicate your cybersecurity program components with your stakeholders. Subscribe to our blog or podcast to stay up-to-date on the latest cybersecurity news and trends. You can also explore our Security Consulting services or contact us today to learn how we can help you with information security solutions.
This blog is the seventh in a series by Mark Burnette on security leadership that focuses on key issues security executives face daily and tips for how to navigate those issues with excellence.