Managing an initiative as business-critical as cybersecurity means IT and security leaders need to work closely with various stakeholders to agree to the security strategy, put them at ease that it will work and give them confidence that it will be effective. When you move forward on a project without stakeholder confidence and commitment, the likelihood of success quickly dwindles. Even knowing this, it is still easy to make all the wrong moves when dealing with stakeholders. Below are a few common mistakes and ways to avoid them:
Mistake 1: Not communicating with stakeholders enough. A frequent mistake when working on a security initiative is to drop off communication once buy-in is secured. It is crucial to maintain communication and keep everyone apprised of what’s working, what’s not and what’s next.
Solution: Select the right cadence for check-ins – perhaps monthly or quarterly – to meet with stakeholders and discuss how your strategy is working. Keeping them up to date with progress will instill more confidence in your team and their decisions. Routine meetings also provide an opportunity to flush out unvoiced concerns before they become a problem.
Mistake 2: Standing by your strategy when it just isn’t working. There is often fear among IT leaders that once they have approval, they need to push forward on that path without looking back. Typically, a great deal of capital and resources will have been dedicated to a strategy that was agreed upon with all the appropriate parties. However, there’s a plan, and then there is reality – and chances are your strategy will have to change as you move forward to address new vulnerabilities, adversaries and technology.
Solution: Don’t be afraid of flagging something that isn’t working and needs more planning. Make sure to connect with stakeholders for feedback – this is your chance to lean on them. As you receive feedback, modify your strategy and move on. It’s never going to go exactly as you planned.
Mistake 3: Keeping employees in the dark. It’s been said time and time again: you’re only as strong as your weakest link. In security, the weakest link is usually the user. Our research supports this, finding that 1% of users represent 75% of the security risk. Any successful cybersecurity initiative requires the users to understand why it’s important, the details relevant to their work, and proper training to perform their part.
Solution: The best way to avoid user error is opening up communications and getting them on board with your strategy. Hold education and training sessions before kickoff and during the project lifespan, and let them know what the organization is doing to minimize risk and protect users and their data from inadvertent data leakage and malicious attacks. Get insights and measurements on what employees are using to get their work done and modify your strategy to enable them to be productive, while also ensuring company assets are secure.
Mistake 4: Using fear with the board. The board can be the most intimidating stakeholder to address, and security projects tend to herald costs – news no board likes to hear. Getting board members to not just understand the importance of security, but also to agree to dedicate company resources to it, can be a challenge – so much so that IT teams often lean on scare tactics to get the board to back their proposals. While underinvesting in security is a scary proposition, this method is typically not successful in securing long-term buy-in.
Solution: Talk about how cybersecurity will enable your business to succeed by focusing on the positive. It’s ok to add color with a recent breach story, or to discuss potential breach costs, but don’t make that the focus of your presentation or the one reason why the board needs to invest in your project.
Mistake 5: Not failing fast enough. Let’s face it: some projects will fail, despite your best efforts. While the default reaction is to try and fix it, knowing when to cut losses early is immensely important.
Solution: Look at failure as a learning opportunity; a chance to debrief on what went wrong or didn’t quite work, and then refine your process. Make sure you’re aligned and are not afraid to end the program, start over or modify the process. Don’t get into escalation of commitment while sacrificing what’s best for the business and security program.
Dealing with the various stakeholders – from employees to the board – is one of the most challenging aspects of security implementation, and one of the most crucial to its success. By avoiding these common traps you’ll dramatically increase the likelihood that your program will be a success.
You can read more about the business of cybersecurity at the RSA Conference blog, and please join us for RSA Conference Abu Dhabi, 15-16 November 2016. Register here: www.rsaconference.com/events/ad16/register