Now that millions of people are suddenly working from home because of the COVID-19 pandemic, companies need ways to create a connected and protected remote business and workforce.
This switch to remote work has accelerated digital transformation efforts at many companies. A recent survey by OpsRamp found that 73 percent of IT managers expect to either accelerate or maintain digital transformation initiatives through the COVID crisis.
However, by speeding up the deployment of digital technologies, this acceleration dramatically expands the attack surface and cyber risks.
C-Suite executives can’t think of security as a technical problem. It’s first and foremost, a business challenge, which has only become more complex during the COVID period.
Here are five ways for instilling a security-first mindset to help protect your business and deliver better business outcomes:
1. Tie security to business objectives and outcomes.
As C-suite stakeholders develop, change and implement their overall business objectives, it’s important for CISOs and security leaders to engage in that conversation from the start. Having immediate line-of-sight into the business objectives helps security leaders develop a customized, scalable, and highly secure system that can help the company reach its desired business outcomes.
Over time, we will see more CFOs blending their roles to become more integrated with CISOs, helping the company connect security investments and risks to the bottom line. Start the conversation by identifying the business benefits of security. For example, better security means the company doesn’t have to shut down operations because of a breach, which leads to less downtime and greater productivity. Quartz reports that companies can save 28 percent annually by deploying a strong cybersecurity plan.
Together, the entire C-suite should determine which cybersecurity measures best serve the company's existing and future business outcomes, along with financial interests.
2. Move away from ROI metrics.
Business leaders looking to tie security to business outcomes need to think less about short-term ROI and start thinking about security as a long-term investment. It’s tough to justify results if security gets bundled into a short-term ROI metric. That’s why for years security was sold as an insurance policy, it was something business executives could understand. Of course, when that happened security programs went nowhere because too often business executives didn’t understand the risks – or were willing to take their chances.
Today, they have no choice. The threats – and the negative impact to the business in the form of downtime, lost revenue and damaged IT equipment are well documented. As we look at what sets a strong security posture vs. a less mature one, it starts with executives reaching agreement and understanding the long-term benefits of having a robust security program. The odds of success increase immeasurably if a company can nurture the long-term support of a security-first mindset.
While many companies are applying financial constraints because of COVID, cutting security investments to achieve a short-term ROI can lead to a disastrous short-term outcome with potentially no long-term options.
3. Set the tone at the top.
CEOs need to take a leadership role with security. Security programs work best when CEOs position security as a critical element that makes the company stronger, safer and more strategic. Security makes it possible for business leaders to focus on what’s most important – innovation, market growth and profitability.
Too often CISOs and security leaders develop security programs for the business that are shared once a year with employees. Unfortunately, they are not revisited or communicated often enough for them to resonate and have the desired business impact.
Outdated misconceptions and practices still linger, as security teams are left as the the sole communicators and only team responsible for company security practices. There’s a communication and education gap that needs filling as companies adopt the security-first mindset.
How do companies fill that gap? Make security a routine topic of business discussion in staff meetings, employee training, end-of-year evaluations, business strategy sessions, budget planning meetings, and mergers and acquisition evaluations. Security belongs to everyone.
The security-first mindset brings security front and center to the business – therefore establishing the need for more real estate on the agenda and in the room.
4. Continuously assess risk.
For any business to adapt and change, it’s critical to continuously assess risk. Understanding how companies will handle business disruptions in the event of something unforeseen means that an organization must understand the risks.
As organizations go through digital transformation, companies need to determine their appetite for risk and the rate of change they can absorb. Part of the planning needs to include ongoing risk assessment at the strategic, tactical and operational levels. Companies should determine the risks to any plan and in the event of a disruption, have a nimble enough strategy to avoid any identified risks.
Any strong cybersecurity practice works in tandem with line-of-business managers to continuously identify risk and its impact to the business.
5. Create a shared responsibility model for employees.
With the quick change many companies have made to a fully-remote workforce, it’s important for businesses to educate employees in their shared responsibility for security. After all, the human element represents most of the risk in any organization.
As part of this education, employees need to understand that security enables the business and the work that they do. For example, better authentication methods make it easier for employees to access applications and do their jobs. If employees are connected to their work, they will connect to the need for better security.
Without diving into the technical components of security, executives can share and model the security-first mindset in a more personalized way that connects with their employees. For example, when sharing the impact of compromised credentials and ransomware, execs can communicate that these cyber threats don’t just happen in the workplace, but take place on personal devices as well.
Security belongs to every employee in the company, from the C-suite down to the seasonal intern – every employee owns a sliver of the exposed attack surface. However, security programs work best when everyone understands that security makes the business stronger and their jobs easier.
Theresa Lanowitz, head of evangelism, AT&T Cybersecurity