As part of our “security takes a village” focus, we are exploring how stakeholders other than a dedicated cybersecurity or IT team can help keep your organization secure. In this post, our Director of Operational Excellence, Jennifer Mitchell, offers a round-up of how Ops leaders (and their teams) can help secure your business.
As an operations leader (albeit one working for a cybersecurity company 😊), I’ve written on various security topics, from how Ops can help, and why Ops should help, to specific reasons Ops teams are well-suited to participating in the development and execution of your IR plan. So, given our focus on “Security Takes a Village” and new Cybersecurity regulations that require businesses to have an IR plan, and nominate a CISO, I thought it was a good time to write about just what the role of Operations is in securing your business. This is especially important in the SMB, where we often wear multiple hats. In this post I’ll cover the ways you can help secure your organization, both general and specific.
Addressing threats to your operation is a priority for Operations leaders - and should include cybersecurity threats. The risk of operational interruption, the presence of single points of failure, the cost of loss of IP / downtime / fines / ransom – if these risks “keep you up at night” then you need to be involved in mitigating them. Start by identifying whose responsibility cybersecurity is within the organization, and involve yourself in the conversation. Once there is awareness and alignment at the c-level, Ops can help by informing policies to improve your security. These can range from acceptable usage policies, to devices at work, to how third parties (and which of them) handle data.
Once the organizational direction is set, and clearly defined and communicated, there are a number of ways ops can help specifically – I covered them in greater detail last year in this post. At a high level they include creation of an IR plan, assembly and enablement of the IR team, conducting fire drills, and addressing budgetary and logistical considerations of those things (before a breach occurs). I’ve also addressed the perceived barriers to your involvement in another post – they simply don’t stand any longer. Plus, most of the time, you can expect your help to be well-received from an overburdened IT team, or from senior leaders who don’t have well-founded knowledge of cybersecurity.
Cybersecurity as one of your “Many Hats”
Lastly, I would just like to touch on one way you can help, specific to those of you who will be (and should be) involved in the decision to purchase cybersecurity solutions. We’ve touched before on the fact that people, process, and platform are all part of determining your security maturity – and as the Operations leader at a smaller organization, you may find yourself involved in decisions about each of them. A huge way that you can help is by taking your operations expertise in process, and applying it to your cybersecurity problem – of course, this depends on having people and technology. Many smaller organizations have IT teams that are limited in size, bandwidth, and specific cybersecurity expertise. Given the cybersecurity skills shortage (discussed by my colleague Alyssa) your involvement in decisions relating to security will likely be about how to outsource this responsibility. Whichever provider you opt to go with, a risk-sensitive leader with broad visibility into how your organization functions should be involved in the conversation. By asking questions about which risks a provider can mitigate for you, how they integrate with your existing processes and policies, and how they can help you create them if you haven’t, you start to see the differences between providers, and whether they can address your needs, or not.
In conclusion, there are many ways Operations can help secure your business, detailed in true-operations fashion in this list:
- Involve yourself at the highest level to help develop policies that impact security
- Help draft an Incident Response plan, so you are prepared when you do get hacked
- Help assemble and enable your IR team
- Participate in the logistical considerations of executing that plan
- Conduct fire drills so when an incident occurs it is not the first time the team is doing this
- Help manage the practical and budgetary considerations for such activities
- Participate in the assessment and determination of cybersecurity purchase decisions
Of course you can turn to us for help - it all starts with a conversation.