Understanding Cybersecurity Efforts as a Stakeholder


FEI Daily | 01/26/2021
by Joseph Kirkpatrick

If you experience a breach, you can expect every department at your organization to be hit with the effects of the financial cost, loss of customer trust, and loss of potential new business.

©Sitthiphong/iStock/Getty Images Plus

Where cybersecurity efforts are concerned, not having stakeholder buy-in presents a new level of risk. Without stakeholders on board, there’s a chance that your organization’s information security plan will die before it’s ever launched – and that’s the last thing you want. So, how can your cybersecurity team communicate with you and other stakeholders about your organization’s information security efforts to get everyone on the same page?

Building Stakeholder Awareness and Knowledge

First, why is it even important for you to understand your organization’s cybersecurity efforts? Well, a breach won’t just affect your IT staff. The global average cost of a data breach is $3.86 million according to IBM and Ponemon’s 2020 Cost of a Data Breach Report. If you experience a breach, you can expect every department at your organization to be hit with the effects of the financial cost, loss of customer trust, and loss of potential new business.

Wouldn’t you rather allocate that $3.86 million to new innovation in your product development, further expansion of your workforce, and continued investment in the growth of your business? Protecting your organization from a breach takes effort from every individual in your organization, especially the stakeholders.

The potential cost of a data breach, alone, should motivate you to build your awareness of your organization’s current information security posture. You can start by engaging with annual employee security awareness training to learn security best practices for implementation in your daily work life. Awareness of the potential breach tactics that hackers use and knowledge of what to watch out for will help you understand the value that a thorough information security program brings.

Do you have to be a security expert to protect your data from being tampered with? No. You just need to have a general awareness and continue to educate yourself on potential security threats. You can do your part to protect your employee and client data.

Understanding your Information Security Posture

As a stakeholder, you need to understand the cybersecurity efforts that are already in place, what’s working, and what responsibilities you have in those security plans. It’s not enough to just know your security team is “handling it.” Engage with the individuals on the forefront of your cybersecurity efforts to understand what your organization is lacking and where the security risks lie.

You can begin to understand the details of your information security posture by asking these eight fundamental questions:

  1. What measures are we implementing to protect our client and employee data?
  2. What plan do we have in place to mitigate third-party risk?
  3. Are we conducting annual information security and compliance audits to test our security posture?
  4. How often are we engaging in penetration testing to test our systems?
  5. Do we have disaster recovery and incident response plans? How often is it tested?
  6. What do you need from the stakeholders to implement quality security and privacy protection?
  7. What are our greatest cybersecurity risks and threats at the moment?
  8. Are our cybersecurity efforts documented and regularly updated for accuracy?

Of course, every organization’s cybersecurity needs will be different, but starting the conversation with your team is a great first step to ensuring stakeholders have a positive influence. Depending on the maturity of your security posture, you can adjust topics of conversation to more technical questions or even look to security experts to guide your understanding.

Communicating with Your Cybersecurity Team

Once you’ve started to grasp the reach of your organization’s cybersecurity efforts, you should commit to consistent communication with your cybersecurity team. You have a stake in the work they’re doing to protect your organization, which means you also have a responsibility to remain informed. Set a plan to meet quarterly, at the least, and expect reporting updates, presentation of security concerns, and back and forth communication with your cybersecurity team.

To gain insight into what’s working, what needs to be adjusted, and how you, as a stakeholder, can better position your organization for security health, progress needs to be documented. When you’re meeting with your cybersecurity team, what KPIs and metrics should you ask to view reports on?

  • Number of intrusion attempts and security incidents
  • Cost to detect, contain, and recover from each incident
  • Number of patches implemented and rate of patching
  • Mean time to detect (MTTD)
  • Mean time to contain (MTTC)
  • Compliance achievements
  • Number of recognized vulnerabilities
  • Cost of each incident

Tracking and reporting on these metrics will give you a more holistic understanding of your cybersecurity practices and provide guidance on the action stakeholders need to take to improve your security posture. Remember, it’s important for you, as a stakeholder, to provide input and feedback from a different perspective. When the cybersecurity team is discussing potential plans and developing a strategy for implementation, it’s necessary to bring in the perspective of a financial leader, C-level executive, or operational employee.

Alignment of business initiatives and cybersecurity efforts is key to the successful prevention of security incidents. Without alignment, you run the risk of misunderstanding key initiatives and disruption between organizational teams. As a stakeholder, you have a unique opportunity to help lead your cybersecurity efforts effectively. Now’s the best time to start investing in your security posture!

Joseph Kirkpatrick is the President of Kirkpatrick Price.