Have you identified any best practices for communicating the value of a heightened security function?
Sort By:
Oldest
Director of IT in Software2 years ago
IMO, security is a function that should be counted on everywhere, it's not an optional thing, it's a mandatory thing to have in anywhere in an organization. Depending on the context, there would be different ways to communicate the value of the security aspects. If that's about application security, probably we can start looking at https://owasp.org/www-project-top-ten/
SVP - Software Engineering in Finance (non-banking)2 years ago
Not sure it’s necessarily best practice but telling people about the risks of cybersecurity and ransomware through real life big company examples is effective because no one wants their IP, customer data our there or want malware to run havoc in their organization Senior Director, Information Technology in Services (non-Government)2 years ago
Transparency is essential, and specific communication should be tailored to the situation. If you are justifying a stricter password policy, explaining why more complex passwords help. If you are telling people about a planned phishing simulation, give statistics about email breaches and how the simulation lowers risk.Director in Healthcare and Biotech2 years ago
In Healthcare i can tell you that communicating and conveying the need for security and security policy is omnipresent. I find "Best Practice" lacking, but has a place within any grey areas. People understand security protocol, but can easily lack good judgment when dealing with new technologies or unfamiliar environments.
As CISO, I can't allow security to not work. It's not an option. If your goal is to be 99% secure, that 1% will do you in every time. On a daily basis I receive information from multiple sources that detail the extent of cybersecurity issues worldwide, including who has been compromised by whom, and using what attack vectors, etc. It is an unbelievably large problem.
That being said, among the bigger incidents that I've seen reported, for every one that I could find details on, I'd argue some level of negligence was the reason they had these issues. They didn't have someone acting as the CISO, so no one was ultimately responsible for their IT security. Or they didn't have system maintenance programs in place, so their systems were left exposed because they were way behind on patches and upgrades. Or they didn’t have good backups, so they couldn’t restore lost data. I could keep going but you get my point. Every single one had these glaringly obvious exposures. If you understand the job and the role, you just can't let anything go. You have to be on it all the time.
I think the best practice in communicating the value of IT security is to be transparent with the business and its leadership — transparent on the depth and breadth of the threat posed to your industry and your business; transparent on your own organization’s readiness; transparent on what is needed to mitigate the threat.