Let me begin by asking everyone a question – what does “shared responsibility” mean? What are the responses that come to your mind when you ask the question? When I ask the question to myself, I have more follow-up questions before I unravel the shared responsibility:
- What responsibility am I sharing?
- With whom am I sharing the responsibility?
In cybersecurity, shared responsibility is even more complex and controversial since it is often seen as extension of IT or engineering. But sharing cybersecurity responsibility is part of everyone’s job description in an organization.
First task at hand: top management buy-in
Everything starts from the top: C-suite executives and the board. They are responsible for every business decision, so why do they often try and wash their hands of anything cyber?
In my experience, the answer is fear and uncertainty. Executives, either due to lack of technical understanding or complexities in technological solutions, feel overwhelmed or maybe incapable of addressing cybersecurity issues. However, without management’s buy-in, cybersecurity experts have a tough road ahead of them to protect the organization from threats.
As CISOs and other security leaders, our first task is to simplify the cybersecurity language into something most people understand, including the C-suite and the board.
Risk-based approach
When a cybersecurity program is based on risk, everyone from top management to operational teams can relate it to their daily job duties and incorporate the requirements within their processes. The list below gives you a perspective of the different areas of risk that an organization is dealing with. However, they are not managed by one person or team:
- Financial risk
- Regulatory risk
- Technical risk
- People risk
- Vendor/third-party/supply-chain risk
- Privacy risk
- Performance risk
- Environment risk
- Geographic risk
- Business continuity Risk/geographic risk
- Change management risk
- Operational risk
- Reputational risk
- And more….
Utilizing a risk-based approach allows the organization to focus on what is critical and most important (not everything!). This allows the top management to prioritize programs and activities appropriately.
All frameworks inherently rely on risk identification, analysis, and mitigation for building a cybersecurity program, whether ISO, NIST or others. Even regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) emphasize a risk-based approach for privacy and security by design.
Based on the organization’s structure, different teams will be handling different risks, thus sharing the responsibility of the program.
From strategic to tactical
It is important as risk managers and “guardians” of cybersecurity in an organization that we manage and communicate the risks appropriately. Not all risks and cybersecurity issues need to be communicated to the top management; however, some do. At the same time, decisions and directives need to be communicated at operational levels so that the teams can take required and timely actions with respect to the decisions made.
As an example, management can decide to introduce a product or service in the market; for bigger organizations, it might be expanding to new markets, or a merger or acquisition. Each decision comes with risks and actions that everyone in the organization must perform to make the company successful. If an analysis of the decision results in exposure of substantial risk to the health of the organization with respect to a data breach or regulatory fines, then the operational teams need to escalate the analysis, associated risk and potential mitigations higher up the food chain, facilitating decision making by the board and enterprise leadership.
Measure everything: KPIs and KRIs
Cybersecurity programs include processes, subprocesses and deliverables. A successful program also includes performance and risk matrices, allowing managers to govern the program efficiently and in a timely manner.
Measure and monitor every area of the program. Again, it doesn’t have to be done by one person, but ensuring that everything is measured is important. Let us take, for example, a process – Security Awareness Program, which is a key component of cybersecurity. How do you measure that this program is effective in your organization? Do you check for the performance of the program by asking the following questions:
- How many employees attend the awareness sessions?
- How many sessions in a year are scheduled and when (what time of the year)?
- Are the programs relevant to the audience?
- Do the actions of the employees change after these sessions? If so, how much?
- Does the content of the sessions reflect current scenarios and market trends relevant to the business?
- Are the sessions passive or interactive?
- What can be done to make these sessions interactive and engaging to the audience?
These questions not only reflect the performance, but also highlight the risks in the programs. However, only when there are measurements with each question asked will the risks be visible.
Taking the above example, let us elaborate on a couple of the questions:
- How many employees attend the awareness sessions?
- If 90% or more attend, the program is a success.
- If 75% or more attend, the program is good but could be better.
- Anything less than 75% requires attention.
- How many sessions in a year are scheduled and when (what time of the year)? Two annual sessions – one in spring and another fall/autumn, four quarterly sessions on specific topics such as phishing, ransomware, challenges with working from home, etc.
- Are there too many sessions that impact the attendance?
- Are the employees attending for the sake of attending?
- Does the summer session have lower attendance than others?
- Are these sessions for all employees?
- Will the company benefit if it reduces the number of sessions, but makes them audience-specific, such as for marketing only, for developers, etc.?
Sometimes you must ask more questions to appropriately measure and, thus, evaluate the program in-depth.
These are just a few questions to begin the process of measuring the performance and risks of the programs put in place. Each area of cybersecurity requires specific questions to be asked when looking into the performance and related risks.
There are many teams and people involved, sharing the responsibility of building and governing an effective cybersecurity program.
Maturity and RACI (Responsible, Accountable, Consulted & Informed)
The quality of questions asked while measuring the program’s growth, effectiveness and success improves as the program matures. Before we go in detail, maturity is always measured over time.
If a roadmap, such as a three-year or five-year roadmap, is defined, creating a maturity plan becomes easier. However, the plan should be a high-level plan, accommodating changing environments and operational needs.
Bad performance must not be overlooked because it highlights risks and room for improvement, which in turn leads to the need to take actions for mitigations. Both good and bad performance indicators are valuable.
A maturity model for the program is like an infant turning into a toddler, then a teen, then a young adult, and then finally an adult. As the program evolves, the risk profile changes, the performance changes, and the mitigations for the risk changes. It is important that processes are continuously reviewed for relevance. It is quite possible that something important during infancy is no longer valid when a teenager or a young adult.
The maturity of the program is also directly related to RACI – Responsible, Accountable, Consulted and Informed. For Level 1, as an example, responsible and accountable parties can be and usually are the same person or team. In Level 2 or higher, it is highly likely that the accountable parties are different.
A shared responsibility
Cybersecurity success is reliant on contributions big and small from everyone in the organization. To summarize:
- Cybersecurity is a shared responsibility for everyone and starts from the top.
- Get top management buy-in to ensure everyone is onboarded on the requirements.
- Success of any program and shared responsibility depends on good communication and awareness.
- Measure the programs as a whole and each step of the program.
About the author: Ira focuses on big picture programs for organizations with no or little cybersecurity or risk management experience as well as where security and privacy programs run as disconnected and separate workstreams. This allows them to build a cohesive and collaborative program within the organization, with long-term benefits of cost reduction in implementation and governance, security awareness at all levels, and improving customer trust for the organization. Follow Gira Group on LinkedIn for more industry information, hosted workshops and sessions.