Listen to our podcast episode with Michael Argast, co-founder and CEO of Kobalt, as he discusses with CPABC's security engineer, Anthony Green, some cybersecurity best practices any organization can implement with relatively low budgets and resources, as well as how to gain organizational-wide support. Part of our Coffee Chats with CPABC podcast series.
While the importance of cybersecurity has never been more evident than it is now, given our heightened need and usage of digital communications, many organizations are getting left behind. While some businesses may think they lack the expertise, resources, or people power to implement strong cybersecurity measures, some things can be done at relatively low labour or capital costs when setting a cybersecurity foundation in the workplace.
Regardless of size and budget, here are some things you can do to improve or establish cybersecurity initiatives.
Using organization-risk management programs to prioritize security risks
Initiating an organization-wide risk management program can be daunting, but it’s recommended for all businesses. The first step is to build a risk register for your businesses. A risk register helps you assess the risks to your business based on probability and impact, using what’s known as a risk registry.
A risk registry looks at the probability of different risks occurring in a given year and then what the impact would be to your business should it suffer from this risk. A risk registry measures the impact on your business’ annual revenue, so it’s relative to you, and not just an absolute number.
By plotting risks on a grid, you can then prioritize your time, energy, and resources on risks that are more likely to occur and those that could have serious financial impacts to your business, while focusing less attention towards the lower-probability, lower-stake risks.
Using security squads to inform an organization’s roadmap and prioritization
One of the biggest mistakes that people classically make is they think security is only an IT problem, and they don’t think about organization-wide security. To see how cybersecurity risks might affect your organization from a wider perspective, and to ensure cybersecurity needs receive due attention, consider forming a security squad that consists of staff across various parts of your business.
The security squad can be made up of staff from IT, HR, finance, and from the executive level like a CEO. By diversifying the members of your security squad, you’ll get a cross-section of the organization, which will help identify how cybersecurity risks can impact operations in different areas.
Having a cross-functional security squad can also be instrumental in helping you drive a security initiative, as you’ll have the support from the team. For example, if you’re rolling out an awareness training, you’d already have the support of HR. If you’re trying to get a budget to acquire a new technology or control, you’d already have the support of finance.
Building cybersecurity on limited resources
If your organization is too small to have someone dedicated to security, then you can identify a prime, or someone that is designated as an internal resource to be the one most focused on security. In some cases, the prime’s cybersecurity duties may still be done off-the-side of their desk.
With the prime, one of the first tasks should be finding an external cybersecurity expert to work with, so that your business can get proper security measures in place. Afterwards, the prime can teach the rest of the team what they’ve learned about security. The team can then help push this information and resulting initiatives through the rest of the organization.
Having the prime apply some external expertise to an organization’s cybersecurity needs can have a positive impact, and may suffice until there’s a point in time when more resources can be invested.
Embedding cybersecurity into organizational culture
There are two key points to consider when you embed cybersecurity into your organizational culture. One of them is making sure that security is owned by the people at the top of the organization.
Let’s say you want to roll out a security compliance program so that you can sell your products or services to your customers. If you’re an executive talking about the importance of the compliance program and why it’s necessary to grow the business, then your staff will be much more likely to come onboard, than if the directive were to come from a non-executive. Therefore, it is important to get buy-in and support from your top-level executives to get everyone focused on the things that they need to do to keep the company secure.
The second key point is to align security with the values of your business. Find and highlight to your staff, the interconnections between your corporate values and the importance of cybersecurity to your organization. For example, if one of your corporate values is taking care of your customers, you’ll need to make a connection between this value and the security and privacy of customer data.
Start from the top and connect with your values. These two strategies can help you build a positive security culture that your staff can relate to and they will ultimately see the relevance in rolling out new security initiatives.
Michael Argast is co-founder and CEO of Kobalt, a cybersecurity company that assesses, develops, and runs cybersecurity programs for small and medium-sized organizations.