Last week, I wrote about why operations leaders needed to involve themselves in the cybersecurity decision. Since then, I’ve received feedback from my peers in Ops that went something like this: “Great post and all, but what about <this problem>?” So, I spent some time thinking about the barriers. I counter with viable solutions that senior leadership, Ops, and IT should keep in mind when prioritizing initiatives that involve business risk.
With the why in mind, here’s the how. I’ve detailed the top four barriers and how to overcome them below.
Barrier #1: Cyber Threats require a technological solution, so IT should determine/manage it
Counter: It’s 2018! Most solutions involve technology – that doesn’t mean Ops isn’t involved
Many of the business problems we face today have a technological solution. To suggest IT needs to own all such decisions is over-simplistic. At the risk of being reductionistic, cybersecurity solutions are just a tool to help you do your job. If your job is to reduce risk, you shouldn’t be excluded from the decision just because the inner workings of the tool are opaque to you. If you understand the outcomes the tool delivers, and their benefit to your business, you are both qualified and obligated to participate.
Furthermore, threats are no longer targeting just IT systems. Sophisticated attacks increasingly leverage social engineering, physical infiltration of buildings (be cautious next time you let that “pizza guy” in!) and other things that fall outside the realm of IT.
Barrier #2: IT has always made cybersecurity decisions unilaterally
Counter: Just because it always was, doesn’t mean it always will/should be
This is a pet peeve of mine, because I have heard “we’ve always done it like this” in countless situations.
Our reason for action should be apparent and rational; “it’s always been that way” doesn’t hold. The implications of cyber threats affect the entire business. 20 years ago, this may have been an exclusively IT problem – but now threats are so prevalent and their potential cost so high that it can be the end of your entire business.
Just as threats evolve, our approach to mitigating the risk must evolve. There are so many parts to this solution beyond the technology you are using: communicating best practices, password management, creating new processes, user education/training, etc. Are these considerations just for the IT team?
A collaborative approach is going to offer you the best of both worlds.
Barrier #3: Cybersecurity is too complicated
Counter: Just translate “cyber threats” to “risk” (a language Ops speaks fluently)
Cybersecurity has always been shrouded in a veil of mystery that the uninitiated have a hard time getting beyond. Yet, Ops has long been involved in complicated IT solutions… so, why is cybersecurity any different? IT solutions usually have a clear end-of-job; cybersecurity is an ongoing problem because threats are always changing. To address that, a tenet of cybersecurity has long been “layers” of security. These layers (redundancy by design) increase complexity since they need to protect each technology in company’s network (more things to understand). Finally, the nature of cybersecurity solutions isn’t quite aligned to ordinary Ops undertakings. Ops’ solutions are put in place to make things happen, whereas cybersecurity solutions are to ensure they don’t.
The fallacy is that the operations leader needs to know the technical details of how the solution works. When, in reality, all you need to know is what the risk is, and how will this solution mitigate it? Being able to translate cybersecurity jargon into operations jargon (something that you and other senior leaders are more familiar with) is critical, and engaging IT can help. Cybersecurity is, at its core, a risk management solution. Once you understand this, your dialog with an SME becomes much more meaningful, enabling you to prioritize risks and mitigate them one by one.
Stop worrying about how the tools work, and start asking “what can they do for me?”
Barrier #4: There is always a higher priority for Ops
Counter: Until there isn’t…
The reason that this perception exist is the tangibility of other operational problems relative to cybersecurity risk. Somebody always needs a new laptop, process, or project – when does my business need a cybersecurity solution? The consequences of allowing cybersecurity risk to go unchecked are intangible and understandably lose out to the immediate priority.
And, let’s be honest, Ops people live and die by our KPIs, which deal almost exclusively with tangible metrics, whereas your ongoing cybersecurity risk (or success!) is not easily qualified by metrics… or at least, you’re not capturing them right now. Maybe you haven’t engaged the right provider yet? 😊
It’s only after a breach that it becomes real, and Ops is left to orchestrate the clean up. By prioritizing cybersecurity initiatives Ops will be able to get involved sooner – before it’s about damage control.
Having leapt the barriers that my fellow operations leaders put forward to me (and a few that the IT folks added in 😊) I’m confident in reiterating my call to operations professionals in leadership positions: you are uniquely qualified to drive cybersecurity conversations in a way that enables risk-reduction for the business while helping to ensure that your team is not stuck ‘picking up the pieces’ after a breach. The collaborative/supportive nature of this proposal should win support in IT too. Ultimately, when it comes to cybersecurity, Ops should be IT’s biggest champion for proactive action.