make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Security Leadership Series: Don't Be the Only Person Carrying the Mantle for Cybersecurity

02/06/2019  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services

Share

Social Logo Social Logo Social Logo Social Logo

It’s easy to feel like a lone wolf when you work in cybersecurity (or a lone wolfpack, if you’re part of a cybersecurity team). While the work you do impacts every area of your organization, your day-to-day responsibilities are so different than most other departments that it can be hard for them to understand your motivations and just as difficult for you to relate to them.

However, if you’re going to influence your company’s culture to truly value and appropriately prioritize cybersecurity, you’ve got to find a way to build relationships across the organization. You don’t want to be the only person carrying the mantle for cybersecurity in your company.

If you’re the only one who understands and values the importance of cybersecurity, it will be a lot more difficult to get buy-in for your security program initiatives from other leaders within your organization. One reason for this is something I’ve discussed in this column before: The idea that cybersecurity doesn’t directly increase revenues or reduce costs, and, therefore, when a company is seeking to improve its bottom line, cybersecurity expenses are one of the line items that often hit the chopping block (or never even make it out of the annual budget approval process in the first place). A lack of stakeholder buy-in might mean financially, in the form of budget or manpower, or it could also manifest itself in the form of people neglecting or ignoring your requests for their teams or departments to implement and/or observe security best practices.

The best way to avoid becoming the lone wolf cybersecurity employee and to garner wholesale support for your cybersecurity program is to start building relationships with influencers in other departments that are impacted by your work. Identifying and cultivating advocates from various departments within your organization is invaluable, because they might be able to influence others in ways you never could. Every organization, regardless of its location, industry, or size has some form of organizational politics. A savvy cybersecurity leader identifies the organizational political drivers within the organization and methodically works to educate and obtain advocates within each key function who can help endorse the program when support is needed.

3 Advocates to Develop Within Your Organization

Here are three different functions in which you can develop strong advocates within your organization.

  1. Legal—Very few people in a boardroom command more credibility than a lawyer. If you’re presenting your ideas in a meeting, and people notice the legal counsel nodding in agreement, they’re much more likely to take you and your message seriously. If your organization has an in-house or outside counsel, I can assure you—that person can be a great advocate for your cybersecurity efforts. You’ll want to spend time with them to share what you’re doing and get their buy-in on your plans.
  2. Audit—If you work in a medium-sized to large organization, your internal audit department can become another valuable advocate for cybersecurity. In most businesses, audit reports are delivered directly to the Audit Committee. When I worked inside a large organization that had an internal audit function, I used to take our audit group to lunch to discuss the upcoming audit they were preparing to conduct. I would highlight issues I was concerned about and invite their feedback on the areas in which they thought we might be lacking. This allowed me to ensure that key areas of concern from a cybersecurity standpoint got additional scrutiny and, if my fears were legitimate, those concerns were documented in the form of an audit finding. In most organizations (and it was the case in mine at the time), audit findings require a management response and remediation plan, which was a roundabout way that I was able to get certain initiatives that had previously been removed from the budget approved for funding. Some might call this sneaky, but it highlights how a savvy and well-meaning cybersecurity leader can leverage company politics to generate additional buy-in and support from leaders outside of the executive leadership team because the auditors were champions for the same issues I was concerned about.
  3. Compliance—Most organizations have at least one regulatory obligation to protect the sensitive data they store. At the very least, they probably have personal information that’s protected by state laws in all 50 of the United States. If your program is working toward compliance with one or more applicable regulations, your company’s compliance department or compliance officer can provide another layer of credibility to the ideas and initiatives you’re proposing.

Don’t Be the Only Person Carrying the Mantle for Cybersecurity

While some days may bring frustrations, there are advocates for cybersecurity in nearly every organization. The key to success for an effective cybersecurity leader can be found in cultivating those relationships. When your advocates support your ideas and initiatives, your influence spreads. This might mean challenging yourself to do things that aren’t natural to you, such as taking an audit team to lunch or grabbing a drink with your legal representative after work. Be open-minded to their perspectives and probing questions, and don’t get defensive. Be willing to adjust your program, your position, or your message based on their feedback. Listen at least as much as you talk. Listening to these key leaders can help broaden your perspective and hone you into an even better business leader. While building relationships across your organization might not come naturally for you, it’s absolutely essential for getting buy-in for your program.

As experienced leaders in information security, our team is here to help. If you’re struggling to get other people to listen to your ideas or to act upon your requests, contact us today. You can also explore our Security Consulting services to learn more about the various ways we can help you with your overall information security objectives.

This blog is the sixth in a series by Mark Burnette on security leadership that focuses on key issues security executives face daily and tips for how to navigate those issues with excellence.​​

Posted in: Security Consulting