(Editor’s note: This is the second installment of a monthly column on the growing number of cyberthreats facing businesses of all sizes and what they can do about it. You can read the first installment here.)
When team members challenge a process, identify inefficiencies or provide uncomfortable feedback, many times they’re told to, “Stay in your lane.” What’s the goal of this response? Does it mean, “Mind your business”? “We don’t value your input”? or maybe it’s that, “We simply don’t want your help.”
Because of the technology-centric history of cybersecurity and the complex threat landscape we see today, cyber-risk strategies have been completely ineffective. This is because of our tendency to force the topic only into the technology “lane.” While cybersecurity can be intimidating, if your strategy is to take a hands-off approach and fully delegate the responsibility to your technologists, your organization is destined to fail miserably.
Complex business problems, such as managing and mitigating cyber-risk, require collaboration. Effective collaboration requires trust, candor and the willingness to share information, for better insight, teamwork and problem-solving. Therefore, confining our teams to a lane only promotes division and noncollaborative behavior.
Based on the World Economic Forum’s 2022 Global Risk Report, cybersecurity disruptions are expected to be one of the most critical threats to the global economy that the world will confront in the next two years. The increased frequency and magnitude of data breaches and cyberattacks has triggered reactions from all over the world, calling for business leaders to position cybersecurity at the top of strategic business priorities.
By not fostering a culture of shared responsibility, you limit your team’s ability to engage in effective cyber-resilience strategies. It stifles the critical collaboration needed to identify and manage risks that may exist on the financial, process, human capital and cultural sides of the business.
Every organization must also prioritize and balance the risk, reward and costs associated with cybersecurity, because no one can afford to do it all.
Risks are inevitable, but the appetite the organization has for those risks is a decision your technical teams cannot make in a silo. By sharing the responsibility, strategic risk mitigation can take into account overall business goals and competing priorities.
And for that to work, overall responsibility for cybersecurity must fall to the organization’s leadership team. They must be the strategic decision-makers on the risks and what trade-offs the organization can make.
The stakes make cybersecurity a business-management and business-risk issue, not simply a technology initiative.
I have witnessed engaged finance and human resources teams thwart cyberattacks, by proactively identifying fraudulent activities, insider threats and malicious activities. These acts saved their organizations hundreds of thousands of dollars in losses.
Did you know that 57% of chief financial officers report their organization has been hit by a ransomware attack, but only 12% are actively involved in determining risk and how to protect their organization from cyberthreats?
CFOs and senior finance executives should be called upon to help defend against cyber-risk. They can help mold the organizational risk appetite and cybersecurity investment strategy. Finance and accounting can be leveraged to help build a risk-based approach to cybersecurity.
Human resource leaders’ involvement is also essential, especially as legal and regulatory pressures mount and as technology and data become pervasive in the workforce. When we recognize the importance of a strong organizational cybersecurity culture, HR teams can lead the training and development initiative on safeguarding data and the secure use of corporate devices and technology.
Executive leaders therefore must create an environment where it’s OK to safely change lanes, in support of identifying cyber-risk and building a more-resilient business.
Once we get more comfortable sharing cyber responsibility, we’ll see greater success combating cybercriminals and the attacks that are becoming more and more commonplace.
Next month: We’ll discuss how to know if you’ve taken reasonable steps to prevent a system breach.
(Jason Albuquerque is chief operating officer of Pawtucket-based Envision Technology Advisors LLC. You can reach him through www.envisionsuccess.net.)
