Famous Last Words of Cybersecurity Management
June 7, 2016 by Bill Rosenthal

We have reached the point that businesses are paying attention to cybersecurity, which is a good thing. All over the country, organizations are promulgating policies, conducting training programs, hiring security consultants, and buying security products. In other words, we are seeing good security management. But you have probably already heard this quotation from the late great Peter Drucker: “Management is doing things right; leadership is doing the right things.”

As Drucker implied, there is more to success than great execution. If you want to protect your organization’s data (and you should!), then you need to do more than manage security. You need to lead the security effort. Here, then, are some of the famous last words of cybersecurity management.

1. “We’re covered. We’ve bought a security product.” Security is not simply a new software product, and if you treat it that way, it’s not going to work effectively for you. The best security product in the world is ineffective in the hands of users who don’t understand the risks and their role in reducing them. Security is a way of business life, and it may represent a departure for your organization. You must prepare all employees to understand their roles and responsibilities in this new way of life. 

2. “Security is not my job.” If any employees in your organization have no awareness of risks and vulnerabilities, or worse, do not believe security is their responsibility, then you have some cultural change ahead. Organizational leadership must send the message (and keep sending it) that security is important, that failure to follow security guidelines will have consequences, and good security practices will be rewarded. 

3. “We’re safe now. I’m glad that’s done.” Security software and policies help with the “how,” but you need to give some real thought to the “what.” This is not a set-it-and-forget-it situation. Crime is constantly evolving, so you need to 1) be ruthlessly honest about finding your organization’s vulnerabilities and 2) study attempts made against your security (e.g., intrusions revealed in your network logs) to discern patterns. 

4. “Let the security staff take care of this.” If your security policies and system don’t have the support of the organization’s leadership, they are doomed. As noted in item one, this isn’t just a rollout, it is change management. The leaders need to be on the front lines.

The first step to avoiding famous last words is to learn just how well your employees understand the risks and vulnerabilities. Our CyberSAFE Readiness Test is a 15-question test designed to determine how well employees recognize and avoid cyber threats. When we rolled out the test, less than 10% of participants passed. (For more information about the CyberSAFE Readiness Test and to receive access to the test at no charge, please contact us at +1.800.889.8350.)

And if you happen to be in upstate New York next week, check out the Upstate New York Regional Cybersecurity Forum at RIT. Logical Operations is hosting this free event, and it takes place from 9 a.m. to 11 a.m. on Tuesday, June 14, 2016 at Rochester Institute of Technology on the 2nd floor of the SLA Building. Registrants will have the opportunity to participate in an “Ask the Experts” panel that will include representatives from the U.S. Secret Service, RIT’s B. Thomas Golisano College of Computing and Information Sciences, and more. This page has a link for registering.