This article is the last in a series of articles by NAV CANADA Vice-President and Chief Information Officer Claudio Silvestri about talking to your board about cybersecurity.
What is your organizational approach?
Cybersecurity organizational approaches and designs vary with many factors influencing the shape, size, and location of the function. And like any other organizational model, there may not be a single answer, and it should never be laid in concrete, unable to evolve with the organization’s needs.
Large multinational enterprises will have very different organizational requirements than you might expect to see in a small-to-medium sized business — if for no other reason than the complexities of managing a business at that scale. The realities of affordability will always play a large role in how many resources you can apply to your cybersecurity function, how you organize them, and the level of talent or experience those resources have.
There are, however, some basic elements of your organizational approach that would be constant regardless of size or funding realities. My assumption is that you will likely already have these core elements in place including such things as monitoring/alerting, forensics, programs (e.g., education, awareness), and reporting. You might be doing all these things with a small team or several dozen people depending how large a company you work for. You might have the need for a CISO (and can afford one) or it’s one person with a keyboard and a book of common prayer.
Due to various organizational dynamics or political influences, it’s hard to say where in your company the cybersecurity function should reside. I would say, however, that regardless of placement, the cybersecurity function must have very tight alignment with both the IT and Corporate Security organizations on many levels, and operate with a high degree of collaboration, trust, and chemistry.
Because every company will think about organizational design differently and face different cost realities, I can’t offer guidance on how to best structure or size your team. But I can provide some insights in terms of things to consider when making design choices:
- Integrated or stand alone. If the cybersecurity team is part of the IT organization, it is imperative to ensure you don’t dilute duties to the point where the person with the responsibility is spread too thin, making them ineffective — especially in the more time-sensitive roles.The person(s) responsible for monitoring has to remain focused through the course of the day to ensure they’re attentive to alerts and can react to them at the appropriate speed. If they also have several other responsibilities, you run an increased risk that something will be missed that could come back to hurt you.
- Clear roles, responsibilities, and accountabilities. Having role clarity is important for any job within an organization. But the line where certain cybersecurity responsibilities begin and end can be blurred and lead to confusion. For example, your data network team responsible for router or firewall configurations have a large part to play in maintaining your defenses. Are those employees able to make independent or unilateral decisions about firewall configurations or must they seek out guidance from others outside the network team?Who is responsible for the functional requirements for your WEB application firewall? Are those requirements the responsibility of your network team or your cybersecurity team or both? And is it clear that having the responsibility for requirements also means having the accountability to get them right?
While this sort of ownership question can be resolved through organizational design, it can just as easily be resolved by simply having clear roles and responsibilities defined regardless of structure.
Regardless of where ownership resides, the reality of blurred lines can lead to issues. Like many other things related to organizational dynamics, it will come down to how people collaborate with one another, and the personalities involved. But one thing is for certain — without role and ownership clarity, which is the simplest thing you can do, you will have teaming issues when it comes to your cybersecurity direction.
Why is that? The lens through which a cybersecurity professional looks when making decisions or setting policies will be very different from that of others who are not directly impacted. As you would expect, cybersecurity professionals are by definition paid to be paranoid and so they tend to lean towards more controls and heavier mitigations.
However, there will be others who may not have the same appreciation or believe in the need for more controls. The balance between these two things to find the place where your cybersecurity posture is both effective and not overly intrusive is difficult. Help your team and yourself by ensuring everyone is clear on what their role is, and who is responsible and accountable for things.
- Manage it or have it managed. In some cases, you may not be able to afford the resources necessary to own and manage certain parts of your cybersecurity function. For example, you might have a requirement to monitor your network 24/7, but you might not be able to afford the number of staff necessary to do so. In this case, a managed service approach would provide the coverage you need at cost that is more affordable because you benefit from the economies of scale that your provider can offer.
- Hire them or develop them. There continues to be a critical shortage of cybersecurity skills available in the labour market. In fact, it’s ranked among the top skill shortages in IT today.The ability to find the right skills and hire quickly will continue to be a challenge for IT management for the foreseeable future. You will need to think about your recruitment strategies very carefully in order to attract and retain talent. Depending on your market, this will add additional risk to your cybersecurity program. In markets with smaller populations where the pool of available and qualified candidates is limited, you could face long lead times in hiring, and may be forced to reach outside your geography in order to attract the right talent.
As you would expect, this shortage is also driving up salaries for qualified candidates and putting additional pressure on your salary budget. You will need to make smart choices working with your HR department on recruiting and retention strategies that may stretch the boundaries of your internal job level and salary structures.
Therefore, you should also be thinking about additional staffing strategies beyond what you might normally do. In this case, you may need to think about hiring entry-level roles and investing in them or selecting higher-performing employees within your own organization who have the intellectual capacity, motivation, and interest to move into a cybersecurity role.
But be warned — whether you hire into entry level jobs and develop those people or you move and develop employees from within your organization, you must have are strong retention strategy to keep them. It’s a hot market and people with any real cybersecurity experience will be targets for other organizations who are hiring and facing the same challenges.
Put It All Together And Own It
The one thing I would leave with you is that you must feel a sense of ownership on cybersecurity, and do so without fear. I have to believe — or perhaps want to — that at this point in time, where cyber security events are as common as the flu, leaders and decision-makers recognize this is the new norm for modern-day business in the connected world.
The digital world can be as dangerous as it is wonderful. It is leveraged in countless ways to enhance our lives, connect our worlds, and enable and power economies. And yes, it’s also a place where bad things happen. The sad reality is that these two worlds co-exist in the ether, and I don’t believe anyone knows of a way to practically separate them — if they say they do, I’m not sure I could believe them.
But what we can do is manage the reality of this by simply accepting the fact that while you can’t control what might happen to your organization, you can very much control and diminish the likelihood and the impact of a cyber event when it does happen.