February usually inspires (Hallmark) visions of romance and love, often depicted mythologically as instigated through a youthful, winged messenger with a magical bow and quiver whose wounds inspire love and passion.
Perhaps making your company leadership or employees fall in love with cybersecurity is a stretch goal. However, I could probably think of a few CISOs in my network that would love to aim with Cupid’s arrow (Legal disclaimer: bows and arrows are not workplace appropriate or endorsed in any way for cyber risk management).
Love is a strong word, and I think that many cybersecurity professionals would settle for being understood, empowered, and supported with appropriate sponsorship and funding.
While there is no magical method for attaining respect, empowerment, and support within your company, there are some things that leaders and teams can do to improve their position of influence and trust in how cybersecurity is received, perceived, and actioned.
Boosting Engagement of Senior Leadership
Senior leaders have a lot on their plates and their minds. Cybersecurity is fairly unanimously ranked as a top enterprise risk, but often the accountability can still be relegated layers below the CEO and her/his leadership team. Few leaders would likely say cybersecurity is “not important”, but many senior leaders don’t understand the role(s) they should be playing to help.
The “Cupid Arrow” with senior leadership is to help them understand risks and necessary actions more in terms of people and process. Most sensitive data in an organization sprawl well beyond formally managed IT systems (think unstructured electronic office documents being stored and exchanged ad-hoc internally and externally without anyone from IT or security involved).
Business executives need to play an important role in sponsoring the business process and cultural change within their organization focused on securing data. They also need to help identify what information or processes are most important/critical so a security team can sharpen their focus on what matters most. In most cases, the tool/technology/budget conversations dominate the talk track, and organizations lose sight of what executives can do themselves and within their organizations.
Read more detailed thoughts and approaches on this in: Building Senior Leader Engagement in Cyber Security
Enabling and Activating the Employees and Extended Workforce
Ethical phishing programs and online training are necessary and often helpful for workforce awareness but should not dominate what the workforce experiences from the cyber security team. Why? These efforts teach employees what NOT to do, but they don’t empower them to understand how to handle and protect their data within their day-to-day jobs, collaborate with the internally approved tools a company has, etc.
Information Security workforce awareness programs need to be organizational culture change initiatives that are run more like an ongoing marketing campaign than an IT tool and training platform roll-out. Efforts need to be tied to the company culture, tailored for high-risk persona groups within the company, and innovative/provocative enough to capture the attention of the busy members of the workforce.