There’s a changing dynamic in forward-thinking organizations around cyber resiliency. It’s no longer an “IT problem” and instead has spilled over the confines of the technology team. This is a good thing—especially for physical security, which hasn’t always been privy to C-level conversations about keeping data (and, in essence, the organization) safe unless it was against physical threats.
Recently, I sat down with cybersecurity leaders who serve(d) as technology leaders for organizations like 3GC Group, Relativity Space, Seattle Children’s Hospital, Innovate@UCLA, the Food & Drug Administration, the Internal Revenue Service, and NASA Jet Propulsion Laboratories. The commonality in the discussion around cyber resiliency was clear: to address resiliency, you must know the risks.
Here are some other takeaways from the discussion (and you can listen to the whole thing here):
It’s All Security
One trend in organizations now involves looking at security not as “physical” or “cyber” but as a holistic frame of reference. Within the organization, there is a shift in reporting structures. Traditionally, security has either reported to facilities, finance, people, or legal departments, and now it’s shifting toward reporting to the CTO, CISO, or CIO, building a true security organization.
Another emerging trend for larger organizations is the combination of physical and cyber leadership into a Chief Security Officer. In this scenario, the CSO sits at the leadership table and the focus is to break down the silos that naturally occur between the two departments.
However, it’s important to note that changing where someone reports doesn’t fully promote the collaboration that needs to happen between the two; it still takes a lot of hard work and collaboration, no matter how the organization is structured. This includes regular meetings, shared goals, and conversations about risk (to name a few).
This collaborative shift is important for ensuring that the technology being implemented across the organization is visible, configured properly to keep the network safe, and able to meet the business's needs.
When businesses view resiliency as a business goal and operate within certain risk factors, the level of collaboration is elevated to include multiple stakeholders at varying titles all with the same goal of protecting logical and physical assets.
Culture also plays a significant role in whether organizations view security as a holistic practice, or in separate silos. Companies with long-established silos will have a harder time viewing security as a whole. Change is dependent on the company culture and the sector. More mature sectors might be less willing to change quickly – such as healthcare – than nimbler sectors, such as technology startups.
Know the Risk
Unsurprisingly, risk is a common denominator on both sides of the aisle. Whether you’re on a physical or cyber security team (or a combination of both), the center of the conversation should be around risk tolerance, assessment, and mitigation.
Security leaders must consider internal threats and external factors affecting the business. Creating a baseline becomes imperative for an organization to determine risk tolerance and how leaders think of risk from a business perspective. Much of addressing risk across an organization depends on its “risk appetite.”
There are many things security leaders can do to reduce risk to the organization through simplifying business architecture and reducing complexity. If a company has all the technology tools, leaders must ask themselves, “Can we protect that?” Prioritizing reduces risk.
As risk is examined, security leaders must avoid communicating the claim to leadership that “we’ve mitigated risk” when risk is constantly changing. Instead, communicating how data/assets/people are being protected and building trust is the logical way to add value to the conversation. Communicating the most likely consequences of not protecting critical data while reiterating the organization's preparedness is one way security leaders—whether physical or cyber—can convey risk management strategy.
A way to communicate effectively with the C-suite or the board is to discuss reputational risk to an organization. This reiterates the need for robust protection without becoming too technical. For example, in a healthcare setting, when there’s a data breach, it can result in a damaged reputation. Similarly, if there’s a workplace violence incident or active shooter event, reputation is damaged. If networked infusion pumps are compromised (75% of these can have cyber flaws), putting networks at risk of attack), you impact reputation.
A direct line can be drawn from the threat of reputational risk to the viability of an organization.
In non-healthcare settings, such as manufacturing, resilience becomes critical to ensuring timely delivery of goods, and any disruption can impact the company’s profitability and bottom line. That’s where taking a holistic view of risk—while considering physical intrusion and detection, operational technology (OT) systems integration, and the ability to monitor all of these environments—becomes critical.
Form a Steering Committee
Having a single leader spearheading cyber resiliency efforts across an organization is not enough. Collaboration is key. One way to enhance collaboration is to assemble a steering committee made up of key stakeholders to discuss the progress of measuring and mitigating risks to the organization.
The risk factors will vary depending on whether a company considers data a revenue source or more operational. What might work well is a shared responsibility among key players in the organization to keep it safe.
Each department of an organization has a role to play in protecting the business, and the more that’s communicated, the better the adoption of policies and processes that meet that goal.
Build a Strategic Roadmap
After an organization's risk tolerance is established, it needs to establish a strategic roadmap, which is where decisions can be made about technology investments, costs, and prioritization.
Shifting the conversation will help create more collaboration and buy-in from the top down. To that end, “gloomy” messaging doesn’t work. Security leaders – whether physical or cyber – are never going to be able to get the organization 100% protected. Once leaders can get all stakeholders to realize it’s not a matter of blocking everything, they can focus more on the shift toward limiting the risk and preparing the business to be able to operate continuously despite a threat.
Investment in these efforts can occasionally be futile if there isn’t a clear path toward a strategic vision that addresses risk across the organization. There’s a lot of money wasted trying to get it right and funneling that investment into controlling the risks the company can control is key.