Patch me if you can: Cyberattack Series
The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
Cybersecurity is everyone’s business; protecting the company and its users against data leaks is no longer just the responsibility of IT and security operations. Everyone from the board to Firstline Workers has an important role to play. A culture that encourages individuals to believe they have a part in defending the company against malicious behavior requires that each person is aware of the day-to-day risks and knows how their actions and choices can mitigate, or increase, those risks. This is why we will be writing a new series of blog posts for senior security experts and executives called the “CISO series” to help further discussions from within the organization to the boardroom to the customer and help establish that security culture and mindset.
If you are like many of your peers, one of the initiatives that you’ve put in place to create a culture where everyone in your organization takes security seriously is a required, annual security training for all employees. And, hopefully, it seems to be working. Feedback from security training indicates that employees have a better understanding of their role in cybersecurity. Even more important, many of your users have begun to take steps to improve their security posture, such as by reporting suspicious emails rather than clicking the links.
There’s just one problem. Today, one of your security operations managers brings to your attention a report showing that the sales division consistently gets low scores on the training. The sales team promotes your business products throughout the world—in Asia, Europe, North America, and South America—often accessing company data from overseas via unsecured wireless. If anyone needs to ace this training, it’s this team. You’re tempted to get on the phone immediately and provide the VP of Sales a litany of scary statistics that prove how critical this training is. But, fortunately, you stop yourself. If you have any hope of increasing compliance, you need this manager engaged in the solution and on your side. What’s more, if you handle the discussion properly, the VP of Sales could give you insights to help you craft a program that his team will embrace more enthusiastically.
If you have any hope of turning the VP of Sales into an advocate you need to frame security “in the language of the business” by “quantifying business impacts.” You’ve heard this before, but what does it mean in practice? What if we start with an even more basic truth: The most important thing to remember about the VP of Sales is that he/she is a human being. And so is everyone on the team. In other words, tried and true communication strategies that have been proven to work outside of cybersecurity also work with humans who happen to be business managers.
Take a look at the following communication strategies and see how they can be customized for your conversation with your own VP of Sales:
Creating a culture where everyone takes accountability for defending the enterprise against cybercrime will require that we get everyone engaged from the board and C-Suite executive to business managers and Firstline Workers. As you embark on this effort, keep in mind that how you say it is as important as what you say. You can create a path to success if you understand the motivations and goals of the business, and if you don’t forget one core truth: We’re all human. Please stay tuned for our next blog in this series where I will give you tips for engaging your C-Suite executive team in the cybersecurity conversation. In the meantime, learn more at our CISO series page.