It's a typical story—you are the lone IT Director or Administrator and your organization has constricted its budget. Your users all have local administrative privileges, plug in random USB drives, use unapproved cloud storage sites like personal Dropbox, and download malware on a regular basis. You have trouble with explaining cyber-risks to your board of directors and your recommendations are shot down by your leadership because:
1. The tools that you need are expensive.
2. You need more people, but the budget does not include additional people.
3. Your leadership thinks that cybersecurity means antivirus and a firewall.
You persistently plead for your leadership to recognize the fact that you have PCI, HIPAA, DFARS, or other compliance requirements. However, your words are taken with a grain of salt because you are seen as a technical resource, not a business leader. You become frustrated and have accepted to just “go with the flow”. Your organization is out of compliance, at high risk for a ransomware disaster, and you are looking for a new job on a weekly basis. Your resume is always up to date; but you stay…
Why? You stay because you hope to change the culture. You know that if you leave, the organization will likely fail because you have been holding the thin red line for quite some time and attackers are knocking on the door of the organization. Your loyalty is unseen and unappreciated, yet you continue to fight for the organization. You know that your daily work is the only thing that separates a horrible cyber-attack from the organization. Hundreds of jobs are counting on your actions. However, all of this remains unseen to your leadership.
Sound familiar?
This is unfortunately a common scenario among many IT professionals within small to medium businesses.
· What should you do?
· How do you change this?
· Should you leave or stay?
· What is your next move?
If you want to get the attention of your organization, you need to shift your approach from technology land to the business arena. This means that you need to relate cybersecurity to money and risk. You must learn to speak the language of business leaders to shift the mindset. This is no simple task and takes persistence, patience, and preparation.
1. Identify the compliance aspects of the business. Whether this is PCI, HIPAA, DFARS, NYS-DFS, CCPA, GDPR, ISO, or other regulatory compliance foundations; you must clearly identify these requirements and map them to your business. Check the penalties of non-compliance. You would be surprised how quickly businesses shift their mindset when you tell them they could be fined up to $2 million dollars for non-compliance or their contracts could be revoked. This seems to work wonders.
2. Advocate for a second opinion: Propose that an external cybersecurity consulting company comes in to perform a risk assessment, penetration test, or compliance assessment. Often times, your leaders need your words to be echoed by an external 3rd party. Sometimes, this is the catalyst that grows your budget and gains the attention of your leaders.
3. Tell a story: Find a news story about a business like yours that has suffered a data breach. Trust me, you can find one. Once you find a comparable organization that has made mistakes and led to grave consequences, this catches the attention of leaders and may be the catalyst for small and incremental changes.
4. Come up with a plan: Failing to plan is planning to fail. Choose a security framework and come up with an action plan. When business leaders recognize that you have created a plan that is predicated on a trusted set of security standards, you are simply reinforcing the message of best-practices. Since these standards are industry-recognized, your leadership knows that you are not “shooting from the hip”.
5. Find a new organization to work for: Unfortunately, there are situations that warrant a quick resume polish and getting in touch with a job recruiter. I am not advocating that people quit their jobs in the face of adversity but if you have gone through the troubles above to no avail, then guess who is getting the axe when the organization gets breached? You! If the organization does not understand or respect cybersecurity in the first place, a data breach is likely going to fall on you and it is exponentially more difficult to land a job when you have been terminated in the wake of a data breach.
Raising awareness in organizations can start with some simple, yet strategic steps. We must understand that cybersecurity is not the main focus of organizations, unless you work for a cybersecurity company. The business comes first, and your business leaders are not likely to be technologists that understand the nuanced requirements of cybersecurity or compliance. It is your job to lead them to the light, keep them secure, and continue to change the culture.