Oftentimes, I find cyber security teams still operating in some dark back office, interacting with their non-technical colleagues as little as possible, and wondering why people just don’t get it when it comes to security. As security professionals, we frequently talk about the concept of “people, process, and tools,” but there may be a few opportunities when it comes to the people area in particular that we haven’t fully explored for whatever reason.
Consider taking a fresh look at this to see if there are any areas for improvement. I believe if you have productive interactions with the risk team, the insurance team, and the training team in particular, you’re very likely to see an improvement in your security program visibility, confidence, and support.
The Risk Team
Determine who in your organization prioritizes organizational risks and what their processes are. For example, if you work in a large company, there may be an enterprise risk management team. These folks are very skilled at performing risk mapping and business impact analysis. They are often very focused on financial risk, so it’s important to work with them to make sure that cyber security scenarios are included.
Make sure that the most likely cyber security scenarios and those with the biggest potential impact to business are included in the enterprise risk map. This will help you gain visibility with leadership and improve confidence and trust across the stakeholders. You’ll gain insight into the organization’s risk profile and tolerance levels, which can in turn help you prioritize your security team’s resources. Along with improved visibility, you should also have fewer surprises when managing threats and help leadership make decisions faster.
The Insurance Team
Find out if your organization has a cyber insurance policy. More often than not, the security team had little involvement in the purchase of that policy, so you may have some catching up to do. Read it. Spend time with the insurance team to review and understand the policy coverage. Consider including the risk team to determine if everyone is comfortable with the coverage areas and amount of coverage the organization has relative to its risk level. Help the insurance team understand that there are more stakeholders to consider as well, and they should be brought into the discussion.
There are services and coverage areas in many cyber insurance policies that include legal, communications, and customer service. All these need to be reviewed with sufficient input from those stakeholders. You’ll typically find that most stakeholders will appreciate this engagement with both the security team and the insurance team, because this is a discussion that generally doesn’t involve technical controls.
The Training Team
Seek out the employee training delivery experts in your organization. I still see many security teams trying to run bare-minimum security awareness training programs on their own. Security training tends to be more robust when the program includes input and support from both the training team and security team. There is so much efficiency to be gained from understanding the resources available for things like creative content development, delivery and distribution, metrics and tracking.
There are so many opportunities to improve our approach to security training beyond the standard annual refresher via computer-based training (CBT) and periodic phishing email drills. Employees at every level of the organization – from the boardroom to the break room – continue to be a factor in nearly every data breach. Therefore, we can’t continue security training year after year with the same tired messages and methods. You need fresh ideas from the folks that specialize in effective training strategies.
Summary
Whether you’re a security professional working in a large organization or a small one, there will certainly be differences in how you can approach the idea of engaging teams in your risk, insurance, and training departments to improve your security program. Regardless of the value of seeking out expert input and discussion between the security team and these functions is something not to be avoided or put to the back burner. Come on out of the dark back office and show you’re a critical member of the team that can mitigate and reduce risks to your organization.
Need more tips and resources to improve your security program? Check out our professional services.
You can follow Stephanie Ewing on Twitter @SEwingOttmers.