Gartner analysts spoke at the Gartner Security and Risk Management Summit about the importance of having a strategy for buy-in from the board of directors. Finding ways to protect a business from digital risks is important, but it also must be pitched effectively to company management who are responsible for authorising the plan.
Talk to the leaders
Instead of aiming for “one hundred percent protection,” the goal should be resilience and a plan that manages risk and minimises damage in the event of a successful cyber-attack. In addition to quickly detecting attacks, the response needs to be as fast as possible.
What an IT manager can do is identify the top IT related risks that threaten the business. These are the pitfalls that corporate decision makers will want to know about, so they do not necessarily have to be the same risks as the ones that affect IT.
Policies and processes that equally protect the business while keeping it running efficiently are important. That is why the IT team needs to talk to business leaders while they are creating the plan, since this could act a trial run of the plan before it is presented to the board.
Identify the threats
Business leaders are likely to react to the list of threats in one of three ways: We never thought of that, we worry about something else that is not on your list, or your list has items we do not care about. Any of these answers can be helpful to the technology strategy, since they provide better insight into what matters at the company.
The company’s IT infrastructure consists of complex combinations of machines, technology, partners and service providers, many of which are not directly overseen by corporate. The company can trust all of the technology until it proves itself untrustworthy, while also trusting nothing until it proves itself trustworthy.
Ideally, the level of trust should be equal to or greater than the risk to the business. When it is not, the company can either adjust their trust or risk.
Know your environment
When it comes to securing the company’s digital assets, the company’s management and board need to be convinced of the risks and countermeasures. To that end, the IT team needs to show the board they understand its business goals and objectives.
The first step is listing the risks that can be controlled or managed in order to meet business goals. Then the technical steps address the risks and meet business goals.
BTAS Snapshot is designed to provide an “early warning” look into a business’ network infrastructure. It’s not an audit or a consultancy, but a holistic overview of an ICT environment that identifies any weaknesses and inefficiencies.
While it provides insight into how more radical changes can be made to the ICT infrastructure, it is the “quick wins” that bring the immediate benefits to a business. Not only can BTAS Snapshot help to justify any additional investments to an ICT setup, in certain situations it could also potentially cover the costs.