How CIOs and other IT leaders can successfully guide their teams into a security-first IT strategy and earn stakeholder buy-in.
Cybersecurity threats are not just becoming increasingly frequent and sophisticated– they remain a top financial concern for businesses, regardless of region or industry.
It is now on the shoulders of IT leaders to navigate the technical security landscape and build agile teams that can dynamically respond to new threats. In addition, because of the financial implications of downtime and breaches, these leaders must also be able to abstract the business value of security in order to influence company-wide priorities.
I sat down with Ron Sinopoli, CIO of McHugh Construction, to discuss how CIOs and other IT leaders can effectively drive and advocate for a security-first posture within their organizations. Sinopoli has been the CIO of McHugh for the past year, and he has already led the company through an entire upheaval of its IT strategy in order to uplevel security measures as a strategic priority for the business.
Here’s an inside look at the three major stages Sinopoli led his organization through when shifting to a security-first posture.
Stage 1. The Security Event Post-Mortem: Conducting an Honest Analysis
“After all, a good offense really is the best defense.”
In the case that any sort of security event occurs, IT teams should first seek to contain it, and should then conduct a thorough incident analysis to pinpoint vulnerabilities that were exploited and identify all systems that were affected.
Though these steps may seem obvious, the long-term positive outcomes of the event may be less so. An honest analysis of a security event can expose the weak points in a system but can also highlight the context in which the event occurred and prompt a more rigorous interrogation of existing security measures.
For example, McHugh’s IT team was aware of the need to evolve their security strategy, but conflicting priorities and lack of resources often pushed this goal to the backburner. It wasn’t until Sinopoli and his team were confronted with an event that security became a top of mind concern for his team.
“We knew we had to strengthen our approach to security, but something else always got in the way. We weren’t as on top of our data replication and disaster recovery plan as we should have been, so that event helped bring those issues to the surface and necessitated a more urgent response.”
In Sinopoli’s case, a deep dive into his team’s existing security architecture revealed a need for reevaluating their SLAs, improving their RPOs, and minimizing manual processes, as well as prompted a holistic reprioritization of security’s role in the company’s IT framework.
Stage 2: Reconstructing Your Security Strategy
“More isn’t always better. Better is better.”
Once Sinopoli’s team had diagnosed the weak points in their security framework and identified opportunities for improvement, they rewrote their IT strategy around a security-first posture; that is, they prioritized proactive approaches to security. A few key aspects of shifting to a proactive security strategy include:
- Availability: Improving visibility into all data and assets, as well as ensuring that data is clean and easily accessible for the users who need it.
- Training: Implementing employee training programs, often bringing in third-party speakers and consultants to provide additional perspective.
- Internal Communication: Communicating regularly and openly with employees about what processes are changing, and what the anticipated timeline looks like for those new processes to take effect, in order to mitigate productivity loss.
- Testing: Planning regular risk management meetings that address real-life examples of various types of security breaches and take employees through simulation exercises.
Additionally, Sinopoli’s team found that evaluating new tools that were able to take the company where they wanted to go was an essential step in this process.
“Whatever improvements we made had to fit within our staffing plan,” explains Sinopoli. “We had to figure out an efficient solution that wouldn’t place undue burden on the team, so we started looking at new technologies that could help us.”
However, the foray into the security marketplace is nothing short of overwhelming. When Sinopoli’s team initially began evaluating new technologies, they were confounded by the variety of options.
“There are so many tools that offer about 75% of the same service, and then have another 25% that they do far better than anyone else,” Sinopoli mentioned when reflecting on his team’s tool evaluation process. The challenge, then, was identifying the tools with the 25% superior capabilities.
Ultimately, much of the 25% difference in the tools his team evaluated was related to the anticipated longevity of the technology. Although his team considered several solutions that could have served their immediate needs, a small percentage of those solutions appeared to be able to keep pace with the company’s vision and to continue to serve their needs in the long term.
Effective change management requires IT leaders not just to onboard new processes and guide their teams through smooth transitions, but also to make choices based on where they want to be– not just where they are today. In this way, leaders can help their teams maintain the stability they will need in order to track towards their big picture goals.
Stage 3: Securing Executive Buy-In
“Moving an aircraft carrier 180 degrees just isn’t the easiest thing to do, and if you don’t have everybody together and on board with the change, you’re never going to accomplish it.”
Formulating a new strategy is only half the battle. Once Sinopoli and his team developed a security-first strategy and identified the new tools and processes that would help them reach their goals, the next step was getting buy-in from stakeholders.
“A silver lining to the current environment is that open and honest dialogue centered around we don’t want this to happen to us, right? is occurring more frequently and at the C Suite level. If approached appropriately, these conversations can provide the appropriate atmosphere and opportunity to foster buy in and discuss funding needs.”
Securing executive buy-in for an investment in security is, understandably, much easier to do after experiencing a security event within your company or hearing about one on the news.
The real challenge, however, is maintaining that executive buy-in even as the buzz starts to wane.
In order to ensure that security remained a consistent priority for his company, Sinopoli promoted security as a business value-add, not just as a technical concern. When communicating with C-suite executives or board members, he recommends addressing three main focus areas:
- Industry-specific Attacks: By honing in on an industry’s most common types of attacks and providing real-life statistics and examples of events at similar companies, IT leaders can more aptly capture the attention of stakeholders who may downplay the likelihood of experiencing an event themselves.
- Company Reputation: With security crises plastered all over the news, trust is everything. A company’s reputation is one of its most valuable assets, and a security-first posture gives customers the confidence that their data will be well protected, and that the company is a reliable partner. In turn, this sense of trust can yield a healthy, stable, and loyal customer base– which makes all the difference in a competitive business landscape.
- Business Continuity: A security-first approach means IT organizations are well-equipped to respond to a security event if (or when) it happens, without significantly disrupting the team’s operations. However, if security is addressed as an afterthought, teams are forced to scramble for ad-hoc solutions. Not only do these sorts of ‘fire drills’ become time-consuming and frustrating, but they distract teams from their long-term goals. Downtime can also affect functions beyond IT by preventing other organizations from working, thereby affecting the company’s overall productivity.
By tying one’s security strategy back to the business impact, IT leaders can enable stakeholders to understand the importance of investing time and resources into a security-first posture and can maintain executive buy-in even when the potential of a security event may not feel particularly tangible.
As a whole, IT leaders ought to think of their security strategy as a reflection of their business’s vision, their team’s priorities, and their company’s culture. For Sinopoli and the McHugh team, the shift to a security-first posture was essential to maintain their identity as a reliable, adaptable, and forward-thinking organization.