If you’re building or optimizing an agile team, focus on three things: Balancing teams, handling failures, and opening up communications.
Cybersecurity isn't an IT problem, it's a business problem
The emergence of the CISO is a relatively recent phenomenon at many companies. Their success often relies upon educating the business from the ground up. In the process, companies become a lot better about how to handle security and certainly learn how not to handle it.
As a CIO, knowing the pulse of security is critical. I oversee a monthly technology steering committee that all the executives attend. The CISO reports during this meeting on the state of the security program. He also does an excellent job of putting risk metrics out there, color coded by red, yellow, and green. This kind of color grading allows us to focus attention on where we are and what we’re doing about it.
If you share a dashboard with executives regularly, they will become used to seeing it and accustomed to a conversation about current security realities. More importantly, what we have done — and this is all credit to our CISO — is to start a quarterly cybersecurity committee. This is a board-level committee, so everything reported in this meeting goes to the board as well. A cybersecurity council can allow for much more of a strategic discussion: “Here are the things we’re doing. Here’s the direction of the program. Here are some things that we’re looking to implement in the future.” It’s also an opportunity to talk about how the things that you’re going to do from a security standpoint might impact the business or benefit the business over the next months or quarters.
As I’ve said before, security isn’t an IT problem; it’s a business problem. That’s why it’s important to share articles and examples of how disruptive an attack can be to business. Now we’re more likely to hear an executive or board member say, “I saw this on the front page of The Wall Street Journal. How would this kind of exploit impact us?” And we have those kinds of conversations. So awareness is much higher.
The reality is, it’s often the publicity of other companies going through cybersecurity struggles that will help executives at your enterprise see that it could be you just as easily as it was them. They will start to ask a lot more questions because they want to know what is being done to protect them from something like that happening. Having the answers always puts IT and the CISO in a much stronger position.