Prostock-studio - stock.adobe.co
Having worked in IT for the past three decades, I'm certain of one thing: Most business success relies on the quality of your relationships with other people -- even when it comes to strong information security.
If you're a CIO who doesn't have allies to help you with your security initiatives, those initiatives are much more likely to fail. Successful enterprise security depends on cybersecurity teamwork among IT admins, security managers and anyone else involved with making things happen in the realm of data security.
Without credibility and the necessary political and financial backing, security projects can be pushed aside or nixed altogether. Some will fail after a few months, while others will be withdrawn a year or two after implementation. A security project rarely fails due to a lack of technical abilities on the part of the CIO and staff members. And a lack of success often has little to do with budget. The critical factor is knowing how to discuss security and build relationships during short-term projects that will follow you throughout your career.
A focus on cybersecurity teamwork
Security success depends in part on knowing who to seek out for help. Some of those relationships are obvious.
You might already have a good relationship with your CISO. Hopefully, that's the case since both the CIO and CISO roles are essential for building an effective security program. The CTO and chief risk officer (CRO) are also critical to security success, thanks to the technical, legal and compliance understanding the two positions bring to the table.
3 CIO partners for strong cybersecurity success
Looking beyond the obvious relationships that help lower risk, you may wonder who else you should partner with to help strengthen security in your business. Based on relationship dynamics I often hear about and the well-run security programs I've seen, you should build relationships with the following three people you may be overlooking in your quest to improve security: the CEO, the chief HR officer (CHRO) and the CFO.
The CEO as chief cybersecurity partner
Partnering with your CEO is essential if you want to use technology to strengthen security and drive the business forward. As part of that relationship, you need to work with the CEO to answer the following questions.
- How can you and your CEO make security work for the betterment of the business?
- How can you use security as a competitive advantage through new or improved products and services?
- How can your CEO best evangelize what you're both trying to accomplish?
People listen when the CEO speaks. Having the top leader's ear is the best means for establishing a security culture and avoiding roadblocks since a CEO is the pivotal figure in getting and keeping everyone on board with worthy security ideals.
Unless and until your CEO has your back, you will likely hit roadblocks in improving organizational security.
The CHRO to help build a security-focused culture
The CHRO is pivotal to preventing cyberattacks and in shaping security culture. And yet, the CIO-CHRO relationship is another potentially overlooked relationship that is critical to improving security.
As the chief people officer, the head of HR is focused on the best ways to manage, oversee and train people, all critical elements of strong organizational security. Given the widespread move to balance in-office and remote work, keeping the human aspects of hybrid work security top of mind is critical.
HR professionals are the best at sharing ideas on how to communicate and educate employees. They often do so in ways that IT professionals wouldn't think of.
Work with HR to improve cybersecurity communications and messaging to employees. Learn what type of communications, and at what frequency, best enable employees to understand and follow secure practices.
The CFO to help fund cybersecurity
Although money isn't everything, it ranks right up there with oxygen in terms of getting things done. A good CFO can initiate positive changes when they understand your security needs. Some questions to help foster that understanding include the following:
- How can you work with your CFO in terms of risk mitigation?
- What budget allocations best improve security?
- What budget allocations help all departments get what they need from IT and security efforts?
In my experience, CFOs help to push security initiatives forward more than any other executive.
A natural information security committee
Many organizations still don't have a security committee that involves not just people outside of IT, but those in executive roles that can help get things done. Let your relationships with other executives evolve into a security committee if you don't have one.
Have an open mind. Many IT professionals fear that involving people outside of IT will taint the security program, but I've seen just the opposite. Nontechnical business professionals can offer a different perspective on how to help with security because they aren't involved with the day-to-day technical complexities most CIOs must navigate. Letting the big security decisions come from a committee provides the benefit of not having that burden lie largely on your shoulders.
Cybersecurity teamwork requires communication
Practically everything in the business relates to security. Everything you do -- or don't do -- counts. Security success requires strong partnerships with people outside of IT.
Put yourself out there. Be a good communicator. Collaborate and get outside advice. Go out of your way to do these folks favors when you can. It will all come back to help you in your security efforts.
In a world where most people still must work to justify cybersecurity funding and planning, this partnership strategy is solid and will pay great dividends over the long haul.
About the author
Kevin Beaver, CISSP, is an independent information security consultant, writer and professional speaker with Atlanta-based Principle Logic. Author of the best-selling book Hacking For Dummies, he specializes in vulnerability and penetration testing, security program reviews and virtual CISO consulting work.