Improving communication within an organization has been proven to increase productivity; that’s easy to see. A study by SalesForce found that more than 80% of employees and executives believe weak communication is the main cause of workplace failures. What might those workplace failures look like? Missing a deadline or offending a client are bad outcomes, but we also need to prepare against exposure of sensitive or personal information.
In this series, ProCircular’s team of information security specialists break down the top cybersecurity risks for small and medium-sized businesses in 2023. How do SMBs prepare for cybersecurity threats and prevent security incidents? Trevor Burke lays out the best ways to get leadership’s support behind security investments.
How to Talk about Cybersecurity
One in 5 security incidents involve the human element, and those situations can pose significant physical, financial, or reputational risks to the people who trust you most. Hackers around the world are popping companies every day, and security expectations must be communicated effectively to reduce the severity of the attacks. There are a couple of different conversations to think about to begin strengthening your security posture. How do we make users feel secure and act securely? How do we become compliant with industry regulations? How do we get funding from the board?
Talk the Talk
It can be helpful to consider not all great minds think alike. Our individual skill sets make us well-suited for our positions. For example, engineers tend to think about the “how”. They want to get their hands dirty and understand the details and steps behind complex processes. People in that field use TLAs (three-letter acronyms) to condense larger concepts for use in discussions with colleagues. On the other end of the spectrum, leaders tend to think more about the big-picture and abstractions. They want to know what and why, but are not as interested in how it’s done.
The disconnect occurs when leaders get frustrated wading through the how behind the what, and when engineers feel like their projects cannot be understood without heaps of contextual understanding. Meeting leaders closer to where they are (high-level thinking) can ease them into a conversation that provides more context. Rather than dumping all the information at once, engineers need to make themselves available and trust their counterparts to ask follow-up questions when they need help.
Insist on Realistic Processes
It’s important to keep in mind that documented processes need to be functional, not aspirational. As processes are developed and maintained, take the time to get input from the affected teams so the documents match reality as closely as possible. Including those users in the development process also encourages their buy-in and awareness of the new secure policies. All of that will help push you toward a culture of intentional, prioritized security that is understood and adopted by all employees!
Assess and Confirm Compliance
Another communication mistake that can land companies in hot water is the assumption of compliance without confirmation. HIPAA is the most recognizable industry-specific privacy regulation, but there are several more affecting finance, education, the department of defense, etc. Other legal and insurance requirements will affect all organizations differently. Find out which regulations affect your industry, and work with your security team to come up with a path toward a mature security program.
How to Secure Cybersecurity Funding
As much as data security is making its way into companies’ strategic plans, key decision-makers and technical subject matter experts don’t always end up in the same room. A lack of insight into risks and vulnerabilities creates a false sense of security and hinders incident response in the case of a breach. You can help executives make informed decisions about security funding by speaking their language.
Do your Research
A risk register is a detailed and holistic view of all the threats that face your company. There is a lot of frontloaded work that goes into filling out the tool, but it becomes immensely useful for security planning and demonstrating present threats once it is complete. Before bringing this information to leadership, think about the implications if the risk is not addressed and think about what it would look like to simply accept the risk. When you are ready to present your findings, explain these considerations and take meeting minutes to record whether the risk was accepted or not.
Understand your Audience
Think about the people you are asking for help. What are their personality traits, concerns, motivations? What constraints do they face that would affect your request? People in leadership positions tend to respond well to a clear mission, with defined goals and objectives.
Talk to Everyone Involved
Creating a secure company culture requires support from every department that handles company information. Use an RACI matrix (responsible, accountable, consulted, and informed) to define the roles of each stakeholder/participant who will be involved in the updated process. Generating awareness and support from project managers, developers, designers, etc. will help ensure the new processes will be received well and adopted smoothly.
Remember, leadership cares about the business, not the technology. They know that you are the expert, and they want to hear decisions from you, not just options. Focus on informing rather than educating, and you’ll have an easier time getting through to them. Non-technical people can be intimidated by lingo (CMMC, NIST CSF, SIEM, MXDR), so practice an elevator pitch (2-3 minutes) that uses language people can understand. If they want the details, they’ll let you know, and they’ll be more inclined to listen. Having both a deep and simplified understanding of a topic gives you flexibility; you should be prepared to talk for 60 minutes, but only expect to get 5.
It’s also helpful to have a budget and timeline prepared ahead of time, although you should expect those to be challenged as the project evolves. As soon as possible, start recording formal reports with scorecards and objective measures that align with corporate goals. At the end of the day, making yourself part of the business strategy, rather than just an expense, will make your proposal much more appealing to leadership.
Threat Management in Iowa and Minnesota
If you’re looking for accomplished experts to support your security posture, trust ProCircular. Proudly serving Iowa, Minnesota, and the entire Midwest, ProCircular is among the top cybersecurity companies in the nation. Our team can provide you with technical control and support, procedural development, and timely responses to whatever comes your way.