“Are we secured?” A loaded question often asked by senior management. We don't believe in answering this question by “yes” or “no”. No organization or government can say that they are 100% “secured”. Far is the time when most Cybersecurity professionals will have answered “yes”. Today, it is about resiliency and how fast your business will bounce back on its feet from a cyber incident with limited to no business impact.
Step 1: Be prepared
This question is a great opportunity for awareness and, immediate or future funding. Do not fear it! Ideally, be prepared for it.
Step 2: Review your Cybersecurity practices
Review your Cybersecurity practices and program state of maturity against industry standards and ensure your program is relevant to your organization industry, business goals, mission, and strategy.
Step 3: Identify your business risks
Identify business risks due to the absence of Cybersecurity controls in business services and your cybersecurity program itself. Articulate them in clear and simple business language. Prioritize and aggregate them where appropriate.
Step 4: Be transparent and collaborative
No organization is perfect and risk free! In fact, all organizations accept some degrees of risks. In business, it is about risk/reward practices. Be transparent! Clearly and openly explain where your organization is at. Ensure no one in your organization will be blindsighted by your information. Maybe a pre-meeting is necessary.
Step 5: Know your audience
Understand your audience interests (e.g. specific area of the business, specific concerns, etc.) and avoid going into technical details and loosing your audience.
Step 6: Frame the conversation
State your Cybersecurity responsibilities (e.g. scope, mission) unless your audience is familiar with them.
Step 7: Be concise and clear
Prepare a 10 to 15 minutes concise and clear executive presentation. Provide a high-level overview of what the Cybersecurity program is about. Identify the top 5 business risks and how they are being managed.
Step 8: Define your journey
Cybersecurity is a journey as the business and threats change so do Cybersecurity practices. Establishing strong risk management practices and following cybersecurity best practices relevant to your organization are keys to your business resiliency.
Step 9: Pitch it
Develop an elevator pitch and be ready for 2 minutes hallway conversations. Always ask for a follow-up meeting as “Are we secured?” is a complex question.
Step 10: Set up a meeting
Setup a 20 – 30 minutes meeting to answer. You may answer at first, “That’s a great question. Let me setup a 30 minutes meeting to go over our Cybersecurity practices and how we manage business risks.”
In conclusion, answer “Are we secured” with information about your organization’s business risks and Cybersecurity practices. Establish confidence on your organization ability to manage Cyber crimes and ensure your business resiliency.
Stay tune for more Cybersecurity tips.