by Dr. Dawn Dunkerley

Does your organization know what “right” looks like for your cyber security? In 2003 J.M Anderson wrote that the metric of cyber security success for a company is often thought to be “nothing bad has happened” … however, how can you be sure about that? Even the most battle-hardened CIO and CISO know that it’s hard to ever be 100% sure that nothing bad has happened; better to plan and exercise for the worst. A better definition of success, then, is “a well-informed sense of assurance that… risks and controls are in balance”, meaning that you’re spending the right amount to mitigate risk, but not more. Notice that it doesn’t require that “nothing bad happen”, but only that if it happens that the cost of the event be within an expected range. It is similar to individuals buying an insurance policy with a deductible that can be absorbed should an accident occur.  In order to achieve this measure of success, an organization must innately know their risks and the costs of a loss – both financial and less tangible, like productivity – to mitigate them. What’s a leader to do?

In his excellent book, Start with Why, Simon Sinek argues that when people know WHY something is a core value of an organization, they are more likely to support and align with the value. This is true in sales, but arguably even more when trying to gain support for organizational initiatives that might be irritating to undertake or impede productivity – as some cyber security tools and procedures can be. By aligning your workforce around why certain practices should be implemented – think multi-factor authentication that reduces phishing attacks that have been plaguing your business – they are more likely to understand the direct link from their personal behaviors to your cyber security success.

After your organization understands why they must reduce risk, and that risks must be reduced, it is important to develop Key Performance Indicators (KPIs) that show your performance. A properly wired organization will not only have KPIs defined that encompass people, processes, and technology; but will also communicate those KPIs across the organization to ensure that everyone understands how their individual KPIs contribute to success. Finally, these must be an important C-suite decision-making tool; what’s the good of measuring things if nobody’s looking and acting? Reward your people for their role in your success, and hold them accountable if they fall short.

Recommended reading/viewing:

Anderson, J.M. (2003). Why we need a new definition of information security. Computers & Security, 22(4), 308.