How IT and Business Leaders Can Communicate to Enhance Security

IT leaders may not be on the same page as non-IT leaders when it comes to cybersecurity. This is according to “The Cybersecurity Insight Report” by CDW, which found that 62 percent of those who work in non-IT positions are extremely confident in technology resources to mitigate risks over the next six months.

Meanwhile, people working in IT are less confident, with just 34 percent saying they are extremely confident in technology resources to mitigate risks over the next year, and an even lower number (30 percent) reporting that they are confident their organizations have the resources and staff in place to stave off cyberattacks.

Cybersecurity Becomes a Business Priority

For too long, organizations have operated under the premise that cybersecurity is an IT problem rather than an overall business issue says Mordecai Rosen, general manager of security at software company CA Technologies, a company that has made a conscious effort to improve its security posture and culture.

“While this notion of simply passing cybersecurity headaches off to IT departments may have held up in the past, it’s currently at odds with our digitized world, one that is especially vulnerable to cyber-risks now more than ever,” he says. “This lack of understanding and these knowledge gaps among the entire business lead to a lack of responsibility and vigilance from employees when it comes to cybersecurity, which can have devastating consequences, such as major data leaks.”

Rosen says cyber-risks demand the attention of every company employee, and many are beginning to take notice.

Brad Arkin, chief security officer at Adobe, agrees. “More and more, we’re seeing senior leaders proactively ask about cybersecurity and compliance, and they want to learn more about how to address security,” he says.

The main difference, Arkin says, is that IT leaders understand security at a technical level and non-IT leaders understand security from a business risk management level.

“Each perspective is needed to implement a successful cybersecurity strategy, so the key is communicating and collaborating on priorities and challenges on both sides,” he says.

For its part, Adobe has released its Common Controls Framework system, which helps to streamline dozens of industry regulations and standards into an easy-to-understand format. Arkin says the tool has been valuable for jump-starting cybersecurity conversations with senior leadership.

“Compliance is incredibly important to customers, stakeholders and regulators, and the CCF has helped leadership clearly understand and communicate the company’s compliance strategy and success without getting bogged down in overly technical language,” Arkin says.

Businesswide Security Mindset Can Align Leaders

Businesses can bridge the gap between how IT and non-IT leaders view cybersecurity by integrating cyberprotection into all aspects of the organization, Rosen says.

“Ensuring a businesswide mindset when it comes to dealing with cybersecurity not only allows organizations to identify potential risks, but also to find solutions that protect customer data, intellectual property and the company’s bottom line,” he says.

One company seeking to make security a companywide effort is Chicago-based software company Relativity. Amanda Fennell, chief security officer at Relativity, suggests that cybersecurity professionals establish comprehensive security awareness programs that can contribute to closing education gaps in their organizations. She also advises IT leaders to convey the importance of cybersecurity in terms that are understandable, including legal and financial implications.

IT Should Keep Business Leaders in the Loop

In addition to keeping an eye on compliance, Arkin says that IT leaders should inform company leadership about the current risk environment and what teams are doing to defend against attacks.

“Regular meetings can help leadership stay in lockstep on strategy,” he says. “Conversations should focus on perceived risks across various aspects of the company, security incidents that may have occurred, security investments and priorities or inquiries heard from customers.”

These conversations should be in layman’s terms, he says. “Cybersecurity has to be woven into an organization’s DNA,” Rosen says. He suggests providing regular cybertraining and user assessment and sharing access and authentication risk across an organization’s key partners.

“At the end of the day, companies must strive to create a culture in which cybersecurity is viewed as the responsibility of every person in their organization,” he says.