Solving 3 Common Security Gaps Through Better Cybersecurity Collaboration
Building and maintaining a strong cybersecurity posture requires cybersecurity collaboration between IT staff and an organization’s management team. This may sound obvious, yet when LMG Security’s consultants work with clients on cybersecurity assessments, testing, and incident response, we frequently see signs of internal communication gaps. In particular, we often find that IT staff are aware of security gaps, but management is unaware and thinks everything is as it should be.
What Causes the Disconnect?
The communication gaps we see tend to fall into three main buckets:
- Lack of shared context on cybersecurity threats
- Organizational culture impeding communication
- Visibility gaps – management does not have clear, consistent information on the organization’s cybersecurity posture and identified risks
All three of these challenges will require action and effort from both IT staff and management teams to achieve effective cybersecurity collaboration. This post is the first of a three-part series. Each post will examine one of these three challenges and offer practical advice for management teams and IT staff on how to address the challenge to build cybersecurity collaboration and improve their cybersecurity posture and reduce risk.
Why Worry About Lack of Shared Context on Cybersecurity Threats?
Effective cybersecurity collaboration needs to start with a shared understanding of the threat landscape and potential impacts to the organization. When IT and executive management lack a shared understanding of the threat environment, discussions about risk reduction opportunities and budget priorities are unlikely to lead to meaningful changes and true risk reduction.
IT staff work in the world of cybersecurity threats every day, so they are generally well aware of common threats such as ransomware and business email compromise. They also understand best practices related to cybersecurity controls and how specific controls can reduce the risk of common threats, either by reducing likelihood or limiting impact.
However, management teams are tracking on a wide variety of topics every day, from finance to growth strategies, product development, marketing, and more. Some executives may not be thinking about cyber threats at all, while others who are aware of general risk in this area are not familiar with common threats and potential impacts to the organization.
How Can Organizations Address This Challenge to Build Cybersecurity Collaboration?
- Executive and board level training on current threats can be eye-opening for members of your leadership team. It will help them understand cyber risk as a critical organizational threat, rather than a topic that primarily concerns the IT team. In particular, many management teams still think a company has to be “targeted” to be affected by a cybersecurity attack, when the reality is that most attacks are opportunistic in nature, meaning the criminals don’t care who clicks the phishing link, they’ll take it!
- Training and internal briefings should include a clear picture of the potential impacts of a cybersecurity incident. For example, the potential impacts of a threat like ransomware go far beyond the IT department, including operational disruption, data loss, data breach, financial impact, and reputational damage.
- On-going management training and updates will establish a shared understanding of the cyber threat landscape, which will support effective internal communication on threats, security posture, gaps, and risk reduction measures.
- The leadership team doesn’t need to get into the weeds on the threats or controls, but a shared context will allow cybersecurity collaboration to develop over time and give leadership teams the context of why it matters. Training will also allow the leadership team to ask more meaningful questions when considering security reports, budgets, and proposed changes.
- Also, as I included in a recent post on the human elements of a cybersecurity program, a strong cybersecurity posture requires consistent, visible management support and engagement. Senior leaders in the company should be talking about security regularly and conveying its importance. On-going executive training and awareness will enable them to be advocates for strong cybersecurity.
- IT Department:
- IT staff can contribute to the collaborative culture by being intentional in their communications. This means clearly tying identified gaps and proposed changes to how the changes can reduce organizational risk. Now that the organization is building a shared understanding of threats, use that shared context to frame gaps and proposed improvements.
- In my experience, IT staff and managers often communicate the proposed solution first, rather than starting with the context of the threat and potential risk to the organization. This approach may seem direct and efficient, but you may be missing an important opportunity to frame the proposed change in a context that conveys the big picture risk to the organization. Conveying the big picture risk will help capture leadership support, especially if the leadership team is still learning the overall threat landscape.
- Failing to clearly convey why the gaps and solutions matter can also leave management with the impression that the proposed changes are “nice to haves” or low priority. Make it crystal clear why they should care about this. For example:
- We are concerned about our risk of business email compromise, especially for staff in the finance, accounting, and procurement departments, who have proven to be susceptible to phishing emails.
- Email compromise can lead to misdirected payments and financial loss, and to breaches of sensitive company information.
- Our best short-term opportunities to reduce this risk include longer password requirements and implementing multifactor authentication, prioritizing these specific departments. We have the capability to do this now, but we need management support and communication since these changes will be unpopular with users.
- Then we need to ramp up user phishing training and engage a third party to review our Office 365 configuration to identify additional opportunities to reduce risk.
- Use a similar approach with internal and external security reports. Always ensure the internal communications clearly highlight risks to the organization. Reports that convey lists of gaps and recommendations without the essential “why it matters” context are unlikely to lead to the necessary follow-on steps to reduce risks.
Stay tuned for the next post in this series, where I will look at organizational culture challenges that can impede communication and prevent effective cybersecurity collaboration. I’ll share tips for facilitating increased reporting of security concerns, effectively routing identified gaps for investigation and remediation, and more!
Would you like advice or support strengthening your organization’s cybersecurity collaboration? LMG Security offers executive level security briefings as well as cybersecurity assessments and testing to help organizations develop their cybersecurity programs and reduce risk. Contact us to see how our experienced consultants can support your cybersecurity goals.