Before you can develop an effective cybersecurity program, you need to understand where you are as a business and where you are headed in the future. Let’s start with a few rather existential questions. . .
What’s the Point of It All?
For every business there is a vision, a mission, and one or more goals. This may seem trivial, but it is very important to put those goals down on paper. If it is your business, then hopefully you already know them. This will be our starting point.
A mission statement is your company’s raison d’être. It’s as existential as it gets. It tells the world why you exist. A vision statement, on the other hand, is more directional than it is existential. One is who and why we are; the other is what we are.
To help you picture the distinction, let’s look at some examples. TopNonProfits.com has collected the top vision and mission statements for several nonprofits. I have taken a few and paired them up to show the difference between mission (top) and vision (bottom) statements:
ASPCA
- Mission: To provide effective means for the prevention of cruelty to animals throughout the United States.
- Vision: That the United States is a humane community in which all animals are treated with respect and kindness.
Creative Commons
- Mission: Creative Commons develops, supports, and stewards legal and technical infrastructure that maximizes digital creativity, sharing, and innovation.
- Vision: Our vision is nothing less than realizing the full potential of the Internet—universal access to research and education, full participation in culture—to drive a new era of development, growth, and productivity.
Smithsonian
- Mission: The increase and diffusion of knowledge.
- Vision: Shaping the future by preserving our heritage, discovering new knowledge, and sharing our resources with the world.
Now, there are those who will argue that mission and vision statements are a waste of time. There is one goal, and one goal only: make money. The end. After all, as one executive director of a national nonprofit told me, “No money? No mission.” I agree. There is truth to the “make money” imperative. But is it your—or your company’s—true mission? Does it reflect your company’s real vision? If so, it is what it is, so write it down!
From our perspective, this is the starting point of establishing what’s of value to you. This will be vital later, when we establish the right level of protection for it.
Culture and Strategy
With your mission and vision statements in hand, the next thing you need to understand is your company’s culture. To clarify, we’re talking about organizational, or corporate, culture. This is not about any ethnic or societal culture (although it may well be influenced by them). This is business. And as such, it has been studied within an inch of its life.
“Organizational culture represents the collective values, beliefs, and principles of organizational members and is a product of such factors as history, product, market, technology, strategy, type of employees, management style, and national culture; culture includes the organization’s vision, values, norms, systems, symbols, language, assumptions, beliefs, and habits.”
—David Needle, Business in Context: An Introduction to Business and Its Environment (2004)
There’s a common bit of wisdom about business culture that is frequently misattributed to guru Peter Drucker: “Culture will eat strategy for lunch any day of the week,” or some variant thereof. Although the true source of the idea is mysterious, the wisdom is real.In a fight between culture and strategy, culture always wins. Always. That’s why you need to spend some time understanding your corporate culture. Without that understanding, your cybersecurity and risk strategies will fail.
Are you in an entrepreneurial “damn the torpedoes” culture or more a risk-averse environment? Are you in a highly regulated industry? Are you in the armed forces? Whatever the case, you’ll need to identify the culture and understand it.
There are some things that your culture will allow that others will not. For example, if you try to institute strict authentication and access controls in an entrepreneurial, no-risk-is-too-big environment, you are guaranteed to fail. The staff will not follow suit, they will bypass the controls, and you’ll have to deal with a staff revolution. On the other hand, if you are too lax in an environment that is expecting safety through rigorous controls, you’ll be dismissed as irresponsible and too dangerous to work with.
How do you determine culture? Let’s say you just walked through the door day one in your job at a new company, and you’re somehow charged with reviewing cybersecurity risk and making a recommendation. You don’t know anyone yet, and it will take some time for you to assimilate into your new company’s culture. What can you do to determine the culture of your new home? Why, you ask, of course! It will take more than a few casual conversations, though. It will take a survey.
As luck would have it, Kim Cameron and Robert Quinn wrote Diagnosing and Changing Organizational Culture in 2005 (second edition in 2011), and in it you will find their “Organizational Culture Assessment Instrument”—a short but very useful survey that, when followed, will provide you with a cultural profile for your company. Their survey assesses a company across six dimensions:
- Organizational dominant characteristics;
- Organizational leadership;
- Employee management;
- Organizational glue;
- Strategic emphases; and
- Criteria of success.
Each one of these has four rankings in the spectrum of personal versus controlling, nurturing versus results-minded, teamwork versus conformity, trusting versus policing, humanistic versus efficiency-first, and people-centric versus company success.
Off to See the Wizard
Save your cultural survey results—you will be needing them later. Now you are ready to talk with the people in the IT department. Why the jump to technology first? To be sure, there are many departments, profit centers, and so forth that you could focus on first, so why IT? Because cybersecurity and IT are inseparable. IT doesn’t own cybersecurity (the organization does), but consider this: No information technology? No cybersecurity. It’s simple. The word cyber by definition is about information technology. One cannot exist without the other.
What if there is no IT department in your company? Then you should talk with the vendor who’s responsible for supporting IT. What happens if there is no such vendor? Well, figure out if there is anyone charged with IT in the company and ask her.
Let’s cut to the chase: Companies come in all shapes and sizes. Some are totally virtual, whereas others are multinational behemoths. Even those we call virtual have tremendous variation in their use, adoption, and support of technology. You may be in a company in which all technology is provided as a service.
Alternatively, the company may be operating under a bring-your-own-device (BYOD) IT model, so you—the individual user—may be responsible for maintaining your own devices. On the opposite side of this spectrum are the IT “stormtroopers”: a humorless bunch walking about stomping on any electronic device they don’t recognize.
The majority of companies are somewhere in between these extremes. They have one or more people in their IT department—whether employee or vendor provided—and they maintain a set of technologies that are hybrid (on premise, cloud, and a mix of company-provided and BYOD) and have some degree of control over what kind of software is running where and doing what. We’ll talk about them, and we’ll call them the IT department.
What happens with the fringe cases? You’ll still need the information; it’s just that the way you go about it will differ. In the virtual company case, you’ll determine who the vendors are, what services they provide, and so on. Think of them as your virtual IT department. In the stormtroopers case, bring your papers and make an appointment. Besides, if the stormtroopers are in the building, I’d hazard a guess that the company has a formal risk and audit function, and they’ll need to be included in all this as well.
No matter what, no matter who, this is an excellent opportunity for you to build a bridge with the IT department, irrespective of structure and delivery. In most cases, you’ll be welcomed. It isn’t often that non-IT professionals take an interest in what’s behind the black door and all those blinking lights. Connect with the IT leadership and get a good understanding of the role of technology in your company.
What Does Organizational IT Typically Look Like?
To begin with, IT in organizations is manifested in more than one way. Many different analysts and research firms have given the phenomenon different names. For example, Gartner Research has coined the term bimodal IT to describe a basic, “keep the lights on and trains moving” version of IT that exists beside a “go wild, innovate, and experiment” version of IT.
Then there is shadow IT. That’s the version of IT that springs up as a result of unanswered (or frustrated) user needs. For example, let’s say corporate policy prohibits more than 5 MB email attachments, and to get to the company’s file-sharing server, you have to jump through all sorts of hoops. The user, acting out of urgent need or defiance, opens up a Dropbox account and shares the credential with colleagues and clients.
Each one of these modes will have its own cybersecurity considerations, with shadow IT being particularly tricky to support and secure. For example, there are companies whose infrastructure (the stability part) is absolutely critical to operations. Think of a trading system. If the system goes down during trading hours, the company loses business, with potential losses in the millions. Alternatively, there are companies whose infrastructure is not as critical when compared with their ability to deliver an answer quickly. In this case, think software development. A firm could be running on a distributed infrastructure all over the world with little worry about any one component of it being unavailable, and yet it must be able to deliver a necessary fix to an application as fast as possible because, say, there may be lives depending on it, as in the case of a hospital management system.
Going back to your discovery needs, your IT team will be able to provide you with their specific assessment. They can identify their systems, the locations, what’s critical, and what’s not. They’ll supply you with exciting documentation such as network diagrams, systems inventory, application inventory, licensing documentation, and they’ll cap it off with the disaster recovery and business continuity plans. Depending on the size of your organization, these assessments will fit in a neat little binder, or the mailroom will drop off a pallet. Either way, you’ll be good to go.
The IT department will also give you their views of what’s at risk and when they do, take careful notes—especially on the intersection of technology and business operations. This will prove very useful as you move forward with asset valuation, business impact analysis, vulnerability, and risk assessments.
So far you have gathered the following pieces of information: mission and vision statements; cultural assessment findings; and IT documentation and assessment. That means you now know a metric ton more about your business than you did when you began this work.
Armed with that understanding, you’re ready to contemplate the scary stuff: what does your company hold that is of value and who is going to come after it? Keep reading to learn more.
0 Comments