Cybersecurity efforts to protect a business from internal/external cyber threats and safeguard critical information assets often focus only on the technology solutions, neglecting the cultural, interpersonal, social, and overall Organizational Change Management (OCM) challenges. When not taken into consideration, these non-technical elements can create unanticipated vulnerabilities that become tangible risks to the organization.
Developing and implementing a robust Cybersecurity Program is not solely an “IT project.” It is a multi-disciplinary and complex task that needs focus and attention at all levels of the enterprise. The security design (including; policies, technologies, infrastructure, and processes) of an enterprise wide cybersecurity program is not typically derived from a preexisting template. Instead, it requires research, analysis, input, and support from every aspect of an organization (e.g., Human Resources, Legal, Physical and Information Security, Information Technology, Leadership, etc…) in order to craft a solution that is customized for the risks and needs of the specific company.
One key element of the OCM activities associated with a cybersecurity program implementation is communication. The broad mix of stakeholders from all levels and functions throughout the enterprise makes this work-steam specifically challenging. Here are a few tips to help navigate what can sometimes be a daunting communication challenge:
- Keep in mind that most of your stakeholders across the organization are not usually highly technical; you need to explain technical cybersecurity topics in a common sense manner while trying to avoid IT, cyber, or solution specific jargon.
- Majority of stakeholders will want to take in the big picture rather than get bogged down in the details. So, frame your initial communications in broad concepts rather than detailed specifics.
- Focus on the security benefit to the stakeholder and/or the impact that failing to act will cause on the company and explain the associated consequences.
- Be clear with operational leadership that you depend upon their technical, business, domain expertise, and the implementation team will need a complete picture of the program from their perspective, including any risks or downsides.
- Be patient with your IT Leadership, as they may want to be more involved than is really needed. They often see this as their domain. Remind them that technology is important and included, but not the main focus of overall cybersecurity.
- Help provide business context in any communication to leadership. A manager might tend to only see their own local view of the business and not how the overall program might affect the business, personnel, budget, mission, goals, customers, and most importantly your company’s stock price.
From an individual employee, or people perspective, the focus of a Cybersecurity Program should be on “Privacy” not “Security.” Individuals care about their personal privacy and a threat to this will drive a sense of urgency. Also, people understand privacy technology, methods to protect themselves, and can more easily relate to this construct at the business level
The cyber landscape is becoming more creative, attacks are increasingly destructive and costly, the technology employed is becoming more sophisticated and there is a double-digit rise in data breaches compounding year over year. Research shows that over half of incidents involving the leakage of data can be associated with a company insider. Organization’s need to implement or improve a growing set of new and evolving proactive information protection methods within enterprise wide cybersecurity programs in order to provide the due diligence required to mitigate litigation, reduce liability, and control risk.
Businesses today must operate in a complex world that is filled with cyber danger and cybersecurity is difficult. People are even “attacking” you. There are threats, hackers, intruders, outbreaks, breaches, assaults, and other intimidating factors. Companies must take advantage of every opportunity to reduce cyber risk. A solid Cybersecurity Program involves more than just technical solutions. There are also policies, protocols, and processes to be implemented and followed. A cybersecurity program leverages awareness and training, communication, marketing, business knowledge and expertise, Leadership commitment, and Organizational Change Management, along with the support of technical solutions to develop and support a cybersecurity culture across the organization.