This is the newest installment of a recurring monthly guest column by Envision's COO, Jason Albuquerque, featured on Providence Business News. In this article, Jason speaks about the importance of making security a shared responsibility.
When team members challenge a process, identify inefficiencies or provide uncomfortable feedback, many times they’re told to, “Stay in your lane.” What’s the goal of this response? Does it mean, “Mind your business”? “We don’t value your input”? or maybe it’s that, “We simply don’t want your help.”
Because of the technology-centric history of cyber security and the complex threat landscape we see today, cyber-risk strategies have been completely ineffective. This is because of our tendency to force the topic only into the technology “lane.” While cyber security can be intimidating, if your strategy is to take a hands-off approach and fully delegate the responsibility to your technologists, your organization is destined to fail miserably.
Complex business problems, such as managing and mitigating cyber-risk, require collaboration. Effective collaboration requires trust, candor, and the willingness to share information, for better insight, teamwork, and problem-solving. Therefore, confining our teams to a lane only promotes division and noncollaborative behavior.
"Risks are inevitable, but the appetite the organization has for those risks is a decision your technical teams cannot make in a silo."
- Envision's COO Jason Albuquerque
Based on the World Economic Forum’s 2022 Global Risk Report, cyber security disruptions are expected to be one of the most critical threats to the global economy that the world will confront in the next two years. The increased frequency and magnitude of data breaches and cyberattacks has triggered reactions from all over the world, calling for business leaders to position cybersecurity at the top of strategic business priorities.
By not fostering a culture of shared responsibility, you limit your team’s ability to engage in effective cyber-resilience strategies. It stifles the critical collaboration needed to identify and manage risks that may exist on the financial, process, human capital and cultural sides of the business.
Every organization must also prioritize and balance the risk, rewards and costs associated with cyber security, because no one can afford to do it all.
Risks are inevitable, but the appetite the organization has for those risks is a decision your technical teams cannot make in a silo. By sharing the responsibility, strategic risk mitigation can take into account overall business goals and competing priorities.
And for that to work, overall responsibility for cyber security must fall to the organization’s leadership team. They must be the strategic decision-makers on the risks and what trade-offs the organization can make.
The stakes make cyber security a business-management and business-risk issue, not simply a technology initiative.
I have witnessed engaged finance and human resources teams thwart cyberattacks, by proactively identifying fraudulent activities, insider threats and malicious activities. These acts saved their organizations hundreds of thousands of dollars in losses.
Did you know that 57% of chief financial officers report their organization has been hit by a ransomware attack, but only 12% are actively involved in determining risk and how to protect their organization from cyberthreats?
CFOs and senior finance executives should be called upon to help defend against cyber-risk. They can help mold the organizational risk appetite and cyber security investment strategy. Finance and accounting can be leveraged to help build a risk-based approach to cyber security.
Human resource leaders’ involvement is also essential, especially as legal and regulatory pressures mount and as technology and data become pervasive in the workforce. When we recognize the importance of a strong organizational cyber security culture, HR teams can lead the training and development initiative on safeguarding data and the secure use of corporate devices and technology.
Executive leaders therefore must create an environment where it’s OK to safely change lanes, in support of identifying cyber-risk and building a more resilient business.
Once we get more comfortable sharing cyber responsibility, we’ll see greater success combating cybercriminals and the attacks that are becoming more and more commonplace.