Posted by As a cybersecurity leader, it’s your responsibility to develop, establish, and implement a cybersecurity strategy, taking into account the departmental budget, priorities, headcount, tools, security threats and risks, and the goals of the company as a whole. It’s a daunting task but a necessary one to ensure that your company is properly secured.
Unfortunately, the best cybersecurity strategy won’t mean much if you face internal objections. Getting the corporate buy-in of your strategy isn’t often prioritised but it’s absolutely necessary in order to effectively follow through on your strategy. Cyber risk is now organisational risk and if your c-suite isn’t on board, you’ll have minimal budget, resources, and headcount to help you.
Cybersecurity starts from within and requires its own approach and strategy in order to build a strong security culture. Here’s your guide on getting corporate alignment for your cybersecurity strategy.
Start with the C-suite
When it comes to getting the entire organization on board with your cybersecurity strategy, policy, and processes, a top-down approach is best. By getting heads of departments to become your advocates, they can help enforce and promote policies needed to properly secure your organization.
For example, vendor visibility and shadow IT are common challenges for IT and security departments who are trying to get a full picture of their tech and vendor landscape. In addition to tools, processes and policies are required to implement company-wide to keep you aware of any new third parties or SaaS apps added to your company’s environment.
Without any departmental advocate, you’ll likely have to rely on single individuals who have little incentive to follow your proposed process. However, if you have buy-in from the head of the department, the entire department is likely to be aligned.
Having heads of departments who positively engage with you is also necessary if and when a security compromise occurs. Part of your cybersecurity strategy should include incident response and having executive alignment involves educating and aligning stakeholders so they know their role in facilitating communications and actions if their department is impacted. Getting alignment early on can lead to a faster response, better communications, and an improved remediation strategy in case of a security compromise.
Focus on risk and incentives
Understanding how to communicate with your organisation and get them on board with your cybersecurity strategy requires a mix of soft skills, understanding, and psychology. You’ll have to strike a balance between being practical, and fear-based, highlighting what’s at risk, while also playing to the incentives individuals or partners care about.
There’s an abundance of risk you can point to when trying to communicate what’s at stake. This includes the risk of someone losing their job, being the responsible party for an incident, losing critical or sensitive data, costing the company money, embarrassing themselves, their reputation, or the company
being fined or investigated due to compliance or regulatory issues, and incurring litigation on behalf of customers or others who were impacted.
And the list goes on. Depending on who you’re trying to get aligned with, you can consider discussing these issues from a risk perspective or an incentive perspective.
For example, rather than considering a lack of cybersecurity as being a compliance risk, you can position adopting cybersecurity as achieving and promoting compliance. With a legal department, this may be enough of an argument for them to collaborate with you. With finance, communicating risk to revenue or the business impact of an attack might be necessary to get them to understand why you need a budget for a larger team or a key partner.
Knowing how to speak to departments differently can improve the chances that they’re bought into your strategy.
Develop your strategy with the right order of operations
Getting the c-suite and even the board to sign off on your cybersecurity strategy requires a lot of due diligence and assessments. You’ll need to be prepared for a lot of questions and potential objections but a good way to ensure you’re ready is to be comprehensive with your strategy and consider the following order.
Your strategy – This is all-encompassing but as part of your strategy development, you’ll need to be able to answer what your goals are, how you’ll get there (including processes and policies), and how this works alongside company-wide goals, especially as it grows and changes.
Corporate buy-in – Once your strategy is ready, get corporate buy-in as soon as possible. This will help you get the resources needed and streamline internal processes for quicker movement.
Talent – What you want your department to look like should be established before bringing in new tools and technology. This priority needs to be communicated to stakeholders who may want to opt for tools that cost a fraction of a single hire. However, a team is needed to maximize the use of new technology, otherwise, you may be stuck with a bunch of tools you can’t make effective use of.
Tools and technology – Once you know what your team will look like, you can properly assess what tools will amplify and complement their efforts. Remember that you’re trying to save your team time and automate tasks rather than adding responsibilities. This will help your team be more effective even as your organization grows.
It’s important to develop this in the order stated, otherwise, you’ll compromise the effectiveness of your strategy and cybersecurity. Not getting corporate buy-in sooner will slow down any approvals and decision-making and if you focus on talent strategy last, you’ll likely have a smaller team that’s much less efficient.
Cybersecurity requires holistic internal and external strategy
Designing and carrying out a cybersecurity strategy is hard enough. There are so many external pressures and considerations to be aware of but the challenge gets worse if you’re facing internal pushback on getting the right team, effective solutions, and policies enforced.
Prioritising corporate buy-in should be one of your first priorities in order to streamline cybersecurity efforts moving forward. Building a culture of security throughout the organisation allows cybersecurity to be a key pillar that’s considered in future roadmaps and as part of organisational goals.
(This article is written by Zakir Hussain Rangwala, CEO of BD Software Distribution Pvt. Ltd. The views expressed in this article are of the author.)