I will be the first to admit it – we use technology to combat cyber threats…
Right now, you are asking “doesn’t everybody? What other than technology would I use to stop attempts to compromise my data and intellectual property?”
We at IntelliGO have been suggesting, like many others, that platform (i.e. technology) is only one of the three P's of your cybersecurity strategy. The other two are people and process.
I hope that leaves our operations readers on familiar ground! After all, you have made your careers on process improvement and surrounded yourselves with people who can adhere to, identify risks of, and further improve upon those processes.
Cybersecurity discussions too often are limited to the dedicated cybersecurity team (if your organization is large enough to even have one), and they invariably report to the IT department. This is by design; IT manages the technology you have invested in, and cybersecurity technology is no different… right?
Cybersecurity technology differs from Information Technology in (at least) one critical way: while IT’s purpose is to enable positive business outcomes, the purpose of Cybersecurity technology is to reduce risk.
Again, I hope my fellow operations folks are starting to nod their heads.
We Think Differently
I am sure that I’m not the only Ops person to have heard a technical person bemoan the constraints of a particular tool as the barrier to achieving a given business outcome. I’m as certain that I’m not the first to have positioned a process change as the answer in that situation. This is not a failing of IT people – this is a difference in how people in different roles think about solving problems. We need the detail-oriented minds of IT folks to think about how systems interconnect, and what features of a given tool will enable them to do their jobs. We have this in abundance when it comes to cybersecurity (I know from all the MDR projects I’ve lead while at IntelliGO). What businesses don’t have, is sufficient representation of risk-conscious Ops personnel in cybersecurity decisions... and I think that for the betterment of companies large and small, that needs to change.
There is actually a time where senior leaders (and, yes, operations leaders are amongst them) do care about cybersecurity technology. And, hopefully, by extension, the people and processes that are requisite for those technologies to be effective.
Do you know when that time is?
Right after your organization has been hacked.
This is a call for Operations folks to involve yourselves in the conversation before it’s about damage control.
Edit 9/26/18: To find out how to overcome barriers to doing so, check out my next post.