A lack of management support for your organization’s cybersecurity program sends the message that cybersecurity is not a priority. Control requirements and recurring tasks are not likely to be completed in a timely fashion or may be dismissed entirely if they are not considered to be a priority for the organization. This introduces an unnecessary level of increased risk due to a lack of control management. Cross-functional management support, throughout the organization, is important for implementing and maintaining a successful cybersecurity program.
Why invest in Cybersecurity?
Your cybersecurity program needs to be actively supported by management throughout your organization. This is not specific to IT management or cybersecurity team management. Managers within all departments and business units must be committed to the success of the cybersecurity program and offer support in their respective areas of responsibility.
Management commitment should be demonstrated by clear direction for the cybersecurity program. At a minimum, this includes the explicit assignment of tasks and acknowledgment of cybersecurity responsibilities. The establishment, as well as the continuous management, of controls by personnel across the organization, should be formally assigned, documented, and tracked.
There may not be a standard solution for all organizations, but an easy method to demonstrate management commitment to your cybersecurity program is to add a “cybersecurity topics” agenda item to existing meetings that are already scheduled to occur regularly. This should eliminate the need for every department to hold a separate standalone security meeting. Instead, use an existing meeting structure that is already in place to include any cybersecurity-related discussions, action items, and any feedback on the existing program.
Pro Tip:
Encourage all personnel to provide feedback on the cybersecurity program, including the prescribed controls. Some controls should be followed verbatim, however oftentimes, there are opportunities to tailor controls to align with how specific departments operate within your organization.
Adding cybersecurity topics as a recorded agenda item to existing team or department meetings provides personnel with an opportunity to present feedback on policies, ideas for control improvements, and ideas for efficiency versus bureaucracy, and enables a broader “buy-in” for the cybersecurity program throughout your organization. These agendas, along with documented meeting minutes, provide excellent evidence of management support.
Finding Program Resources
Funding, technical talent, managerial talent, and tooling all contribute to the effectiveness of a cybersecurity program. Your organization should provide adequate funding to develop, implement, and maintain a successful program. The program should be staffed and supported by personnel who have skills and experience that are aligned with the organization’s size, complexity, and risk profile. Personnel who possess an in-depth knowledge of standards, practices, and methodologies are particularly important to the success of a cybersecurity program.
Cybersecurity program leadership should be responsible for ensuring a personnel development and improvement program is in place to maintain the knowledge, competence, and effectiveness of those responsible for the program. This will help to ensure that those supporting your efforts stay current on the latest trends, threats, tools, as well as capabilities of your organization. While this should include training and mentorship, it may also include re-assigning current personnel into areas or roles that they are passionate about to support the overall success of your cybersecurity program.
Personnel development and improvement programs should include career paths to encourage personnel to advance in the field and assume roles with greater responsibility. Development and improvement programs are not a replacement for the cybersecurity awareness training program, but rather compliments that training program for appropriate personnel supporting your cybersecurity program. The development program should focus on institutionalizing the core cybersecurity capabilities of personnel that are necessary to protect your organization’s operations, assets, resiliency, and personnel.
Get more help with your cybersecurity program planning with our vCISO experts.
