Welcome to the last part of my Cyber ROI mini-series! In this final part of this blog series, I will discuss aligning cyber strategy with the people and processes.
Before we begin, now would be a good time to check out the first two parts in this series, if you haven’t already: Cyber risk vs ROI – what’s the right balance? and Effective cyber spend: how to align your cyber security efforts to your business-critical systems.
People are the weakest link, right?
Well, no. Humans are fallible, and if you work in the Accounts department, you should have the tools in place to be able to open attachments safe in the knowledge you have the security defences in place in the business. (Quick plug here for Dracoeye if your team doesn’t already know about our free tool for the community to check links, files, URLs and emails!)
So to be clear, very few businesses have a 60-strong cyber security team. It is much more common to see a small team (and sometimes, just 1 person!) responsible for IT, compliance and cyber security. This can be true for businesses in all sectors, including critical infrastructure.
If we think about the people in our security teams, what does that look like? You might have a junior team that doesn’t cost a lot but needs further training or cross-skilling. If you have completed a pen test assessment as mentioned in the second part of this blog series, what did those results show? Did your SOC pick up unauthorised activity? If it didn’t, was this down to a people, process or technology challenge?
Another thing to consider is whether your people are properly trained in the tools that they are using. Do they have overlapping skills to cover against staff absences for example? Maybe you can rotate responsibilities; for example, a team works on endpoint security one week and firewalls the next, ensuring further skill development.
As a manager, you may find that building a skills matrix of your team will give you deeper insight as to the mix and level of skills within the team, further helping you with aligning cyber strategy with your people and processes.
How can we make the most of the staff we already have?
You will have people in your business who would love to work in your cyber security department. In my previous career as a recruiter, it would always amaze me how many people would be looking to leave their employer to progress into another career direction. When they inevitably found that new opportunity, their current employer would many times not have known about their career goals and ambitions, and would have loved to keep them in the business. Encouraging internal applications to your cyber security team can ensure you retain your key staff, and also by investing in your people you will keep an engaged and happy workforce.
Your IT staff can easily be cross-trained into cyber security. The same can be said for all business areas – from compliance to accounts to sales to project management. If they already know how your business operates, and its goals and critical systems, then they already have a lot of critical knowledge, so teaching them how to secure those systems, or spot threats relevant to their department is a quick win..
Another quick win can be a security champions programme. Having key people from critical departments who can be your security eyes and ears, and who show an interest in cyber security, can help you improve security culture quickly across the business. For example, your security champions can be trained in threat modelling, which helps identify security flaws early in the development process.
Training: your best low-cost defence for aligning cyber strategy
You might not have the budget for a state-of-the-art threat detection system, but you can turn your workforce into a powerful defence mechanism. The best part? It is low cost, but high impact.
Tips for training on a budget
- Lunch and Learns: Everyone loves a free meal. You could host short training sessions that get straight to the point. Use real-world examples to show just how easy it is to fall for phishing attacks.
- Gamify your training: Get a little competitive! Set up challenges, like who can spot phishing emails the fastest. It’s engaging, and it makes the training stick.
- Use free resources: You don’t need fancy tools to teach basics. There are tons of free training resources available online, including simulations, videos, and tutorials. Go ahead, take advantage of them!
Remember, an informed workforce is less likely to click that sketchy link or fall for a “too good to be true” phone call from “IT support.”
Building a strong security culture
If you can make security a part of your company’s DNA, you’re halfway to success in terms of aligning cyber strategy. This means not only training, but also embedding security into everyday actions and decisions.
- Share success stories: when you stop a phishing attempt or detect a vulnerability before it becomes an issue, let the team know. It builds confidence and reinforces good practices.
- Seems phishy: it’s not just the responsibility of the cyber security team to spot phishing attempts. Every employee should feel like they’re part of the defence team, and you should encourage people to report suspicious activity without fear of “getting it wrong.”
- Reward good security behavior: if someone reports a phishing attempt, give them a shout-out! People love recognition, and it reinforces the behaviour you want to see more of.
Aligning cyber strategy with business processes
If you think about your business, each department will have its own operating processes. This isn’t just about security, it’s the tribal knowledge that each department will have for “how things have always been done.”
- Some key considerations are as follows:
- How long is data – such as sales contracts and invoices for suppliers and customers – stored in your CRM for?
- Do you have staff who have been in the business forever and have privileged access across your systems? If someone moves departments or joins or leaves – do they have the right security controls and system access?
- If you think about your critical business systems, what processes do you have around those systems? Sales teams and accounts teams can typically have undocumented processes, so this is a key area to investigate, especially when it comes to sensitive data and your crown jewels.
- Do you have any business assets that are unprotected or that need a security review? If you have recently undertaken a pen test on your critical systems, or a security assessment, did your people, policies and technologies align to spot that attack?
- Is the money spent on cyber defence mapped against your business-critical assets or is it widespread and unconcentrated? With the sandwich factory analogy, have you pen-tested the website over protecting the factory boundary?
If you can answer the above, you’ve just created yourself a loose security strategy directly in line with your business-critical assets and your most likely adversaries. So now you have reviewed your business goals, your potential adversaries, your technology, people and processes, and once you have decided how you’ll be aligning cyber strategy, what’s next?
Now go forth, and conquer… the board.
Every board is different, however, understanding your board of directors and their goals is an important part of this framework.
Most boards care about three things.
- Making money
- Saving money
- Mitigating risk
The level of importance across all three of these areas will be dependent on whether you work in a regulated or unregulated industry.
For example, a FinTech bank would want to emphasise its investment in security as a business differentiator and as a digital-first business.
The NHS is a heavily regulated industry which isn’t profit-making and would want to mitigate risks that could affect lives. However, budget availability is linked to patient safety and waiting lists for example so each trust would have its own budget – saving money would no doubt be a priority.
Hopefully, this mini blog series has helped you to be able to assess whether your people, processes and technology within cyber is working effectively, and being a help or a hindrance to the business goals and objectives.
If you have enjoyed the blog series and would like a copy of our Cyber ROI Checklist, drop me a message via the contact form.
