Solving 3 Common Security Gaps Through Better Cybersecurity Collaboration

Building and maintaining a strong cybersecurity posture requires cybersecurity collaboration between IT staff and an organization’s management team. This may sound obvious, yet when LMG Security’s consultants work with clients on cybersecurity assessments, policy development, and testing, we frequently see signs of internal communication gaps. In particular, we often find that IT staff are aware of security gaps, but management is unaware and thinks everything is as it should be.

What Causes the Disconnect?

The communication gaps we see tend to fall into three main buckets:

1. Lack of shared context on cybersecurity threats
2. Organizational culture impeding communication
3. Visibility gaps – management does not have clear, consistent information on the organization’s cybersecurity posture and identified risks

All three of these challenges will require action and effort from both IT staff and management teams to achieve effective cybersecurity collaboration. This post is the first of a three-part series. Each post will examine one of these three challenges and offer practical advice for management teams and IT staff on how to address the challenge to build cybersecurity collaboration and improve their cybersecurity posture and reduce risk.

Why Worry About Lack of Shared Context on Cybersecurity Threats?

Effective cybersecurity collaboration needs to start with a shared understanding of the threat landscape and potential impacts to the organization. When IT and executive management lack a shared understanding of the threat environment, discussions about risk reduction opportunities and budget priorities are unlikely to lead to meaningful changes and true risk reduction.

IT staff work in the world of cybersecurity threats every day, so they are generally well aware of common threats such as phishing, ransomware, and business email compromise. They also understand best practices related to cybersecurity controls and how specific controls can reduce the risk of common threats, either by reducing likelihood or limiting impact.

However, management teams are tracking on a wide variety of topics every day, from finance to growth strategies, product development, marketing, and more. Some executives may not be thinking about cyber threats at all, while others who are aware of general risk in this area are not familiar with common threats and potential impacts to the organization.

How Can Organizations Address This Challenge to Build Cybersecurity Collaboration?

• Management:
  • Executive and board level training on current threats can be eye-opening for members of your leadership team. It will help them understand cyber risk as a critical organizational threat, rather than a topic that primarily concerns the IT team. In particular, many management teams still think a company has to be “targeted” to be affected by a cybersecurity attack, when the reality is that most attacks are opportunistic in nature, meaning the criminals don’t care who clicks the phishing link, they’ll take it!
  • Training and internal briefings should include a clear picture of the potential impacts of a cybersecurity incident. For example, the potential impacts of a ransomware attack include operational disruption, data loss, data breach, financial impact, and reputational damage.
  • On-going management training and updates will establish a shared understanding of the cyber threat landscape, which will support effective internal communication on threats, security posture, gaps, and risk reduction measures. We now offer monthly executive threat briefing packages, contact us if you would like more information.
  • The leadership team doesn’t need to get into the weeds on the threats or controls, but a shared context will allow cybersecurity collaboration to develop over time and give leadership teams the context of why it matters. Training will also allow the leadership team to ask more meaningful questions when considering security reports, budgets, and proposed changes.
  • Also, as I included in my blog on the human elements of a cybersecurity program, a strong cybersecurity posture requires consistent, visible management support and engagement. Senior leaders in the company should be talking about security regularly and conveying its importance. On-going executive training and awareness will enable them to be advocates for strong cybersecurity.

• IT Department:
  • IT staff can contribute to the collaborative culture by being intentional in their communications. This means clearly tying identified gaps and proposed changes to how the changes can reduce organizational risk. Now that the organization is building a shared understanding of threats, use that shared context to frame gaps and proposed improvements.
  • In my experience, IT staff and managers often communicate the proposed solution first, rather than starting with the context of the threat and potential risk to the organization. This approach may seem direct and efficient, but you may be missing an important opportunity to frame the proposed change in a context that conveys the big-picture risk to the organization and encourages executive support for the project.
  • Failing to clearly convey why the gaps and solutions matter can also leave management with the impression that the proposed changes are “nice to haves” or low priority. Make it crystal clear why they should care about this. For example:
    • We are concerned about our risk of business email compromise, especially for staff in the finance, accounting, and procurement departments, who have proven to be susceptible to phishing emails.
    • Email compromise can lead to misdirected payments and financial loss and to breaches of sensitive company information.
    • Our best short-term opportunity to reduce this risk is implementing multifactor authentication. We have the capability to do this now, but we need management support and communication since these changes will be unpopular with users.
    • Then we need to ramp up employee cybersecurity awareness training and phishing simulations, as well as engage a third party to review our Microsoft 365 configuration to identify additional opportunities to reduce risk.
  • Use a similar approach with internal and external security reports. Always ensure the internal communications clearly highlight risks to the organization. Reports that convey lists of gaps and recommendations without the essential “why it matters” context are unlikely to lead to the necessary follow-on steps to reduce risks.

In part two of this series, I look at organizational culture challenges that can impede communication and prevent effective cybersecurity collaboration. I’ll share tips for facilitating increased reporting of security concerns, effectively routing identified gaps for investigation and remediation, and more!

Would you like advice or support strengthening your organization’s cybersecurity collaboration? LMG Security offers executive level security briefings, monthly executive threat briefings, managed KnowBe4 employee training solutions, and much more to help you reduce your organization’s risk. Contact us to see how our experienced consultants can support your cybersecurity goals.

Read part two of three: 6 Steps For Building a Strong Security Culture in Your Organization