Cybersecurity is an incredibly complex topic. Even the most brilliant minds will not understand a lot of it unless they spend of time learning about the topic. Executives do not have that luxury and must depend on their mid to lower-level managers. Yet those managers are often not in a place of power to effect change. In other cases, those managers may resist doing the right thing because it causes them extra effort, or the requirements are difficult to implement. Leaders need a way of understanding where they stand in the way of risk so that they can figure out where they want to invest and improve their data security practice.
When conflicts between Infrastructure Teams, Development, DevOps, and Security occur, how do they get resolved? It all starts with having a good system for tracking KPI’s (Key Performance Indicators).
KPI’s play a critical role because they help the executive to see the issues regardless of what department managers have to say. Having accurate and up to data KPI’s are a challenge. In many cases these KPI’s are built in excel and can be easily modified and misconstrued. System generated data is usually a better approach.
The Executive’s role is first to decide how big of a role security needs to play in their business. How critical is it? The needs can be drastically different depending on the type of business. For example, an oil change franchise will be much different than a hospital group. The executive needs to understand their appetite for risk.
After understanding the tolerance for risk, the executive should implement a culture that is appropriate for level of risk they are willing to tolerate. Why is culture important? Culture plays a critical role. Take the previous example in this article where there is a disagreement between departments on how to address a particular issue. If you have a culture that has an extremely low tolerance for risk, then this will help to govern the conflict. In this case, even though an issue might cost a lot and require work from one of the teams, then you may still want to do it. On the other hand, the opposite may be true if cybersecurity isn’t one of the organizations prioritized goals.
In the case where security is a priority, executives should require the management team to builds security program with KPI’s. These KPI’s should be reviewed by executive leadership and the management teams on a routine basis. This can allow your program to improve and grow over time.
As mentioned before, when producing these KPI’s there are many ways to fudge numbers and make your progress look better or worse than what they really are. Therefore, it can be valuable to have a third party come in an audit that process. When it comes to security, department managers tend to not agree. This is also where a third party can help to set a level playing field.