In the last few decades, a significant shift in corporate hierarchies fundamentally altered how organisations operate. This restructuring began within Citibank in 1994 when, after falling victim to a large cyber security attack, the role of Chief Information Security Officer (CISO) was first created. Since then, the CISO role has grown exponentially in prominence. So much so that nowadays it is common to see even small, privately owned, organisations with a CISO or similar role in their executive team. With GDPR coming into force two years ago, many organisations assigned a Data Protection Officer. These indicate an important shift in business to give the protection of sensitive data more credence.
However, although cyber security roles may have increased in visibility over the last 20 years, there remains a proportion of enterprises which fail to take steps to fully integrate cyber security or information security professionals and teams into general operations. This failure can have catastrophic consequences.
Few will dispute that organisations need to consolidate corporate goals throughout all sectors of the business, working in tandem to achieve them. Yet, this message is often forgotten when it comes to Security or Information Technology (IT) teams, which can often be peripheral to business operations or siloed into its own little niche.
Projects can be designed with, or can go on to develop, fundamental security issues if security teams are not included from inception. For example, contracting with a vendor that does not practice due diligence or accidentally purchasing software with inherent technical issues that could be exploited by malicious actors.
Even against an ever-changing technological backdrop and evolving threat landscape, organisations often do not attribute appropriate importance to cyber security. Like other forms of design and construction, security is most effective with multiple layers and it is much easier to add security features at the start, rather than after the project is completed. Shoehorning security components into existing systems and processes is not only tricky, but also often ineffective, not to mention expensive.
As the presence of executive and non-executive cyber security professionals grows, the corporate environment dynamic has shifted as organisations realise that they must not only deal with the complexities of maintaining a technical environment but also contend with the security of them. In order to achieve success, enterprises should aim to create a culture of communication and collaboration, whilst eliminating silos.
What you can do
Obviously, not all enterprises can afford to support executive-level security professionals or implement an advanced security programme. But that does not mean that cyber security should be brushed aside either. Bear in mind that there are alternative solutions to reworking the entire company leadership. Enterprises can instead use solutions which help facilitate collaboration between security teams and their leadership teams. In addition, there are inexpensive organisational methods to implement such as the establishment of change advisory boards, use of regular announcement and email distributor lists.
Change Advisory Boards
It is highly recommended for any organisation to have a Change Advisory Board (CAB) to provide an added layer of protection when it comes to changes to critical business operations or software. By including top cyber security personnel in the picture, security teams are given access to core projects without creating too many process changes. CABs include leaders from other departments with robust knowledge and they should possess insight into an enterprise’s core projects and any changes that will potentially impact operations and security.
As well as CAB meetings, it is advisable for enterprises to produce regular announcements about company changes/upgrades. These announcements give staff exposure to process changes, new ideas and technology and at the same time provide a forum for those affected by such changes to voice their thoughts or give their input. Announcements can be paired with more informal meetings to further socialise changes within the organisation and gather feedback.
Email distribution lists
Email distribution lists which include key stakeholders are a vital way to facilitate discussions in a fast and inexpensive way. This can be used in conjunction with existing tools like ticketing systems which provide that teams gain access to appropriate information and have a venue to voice concerns and suggestions. Although perhaps not the most effective considering the amount of emails the average worker receives, this solution is by far the easiest, cheapest and is useful for small organisations that do not need excessive formality in their distribution of information.
It is vital that enterprises include key stakeholders like cyber security professionals in their business decisions even when they may not directly influence the end-product or service. To make sure cyber security is interwoven into the fabric of business, cyber security personnel must be included in discussions. The reality is, it remains far easier to embed security during initial stages of a project than to retroactively apply it. Proactive security helps to reduce costs in the long term whilst improving functionality and operational alignments.
The ultimate goal for many enterprises is to eliminate silos by creating a culture of communication across the organisation. Creating processes and platforms for cyber security and IT professionals to engage with projects and ideas as they emerge is a critical step that must be taken in order to move towards a mature and effective security program.
Author: Zachary Curley, Consultant, AT&T Cybersecurity Solutions