While I’ve heard many “I’m just not technical” comments, I’ve also been in one hour scheduled meetings that ran into two hours because the CEO wanted to understand the results of a penetration test and asked questions that we spent time talking through along with the CIO and IT leadership. It was healthy, valuable conversation, and resulted in an actionable plan that quickly improved the cyber security posture of the organization.
As more and more organizations are starting to take this approach. I’d like to offer a few points to think about that I’ve seen stifle the process if not considered.
Pride of Ownership
This can be a touchy subject. The average IT department staff not only invests a lot of time and effort into the systems and platforms they manage, but they also take pride in their work. In some cases, so much that it’s not uncommon to hear a network administrator or engineer refer to their company’s infrastructure as, “my server” or “my firewall”. So, when suddenly these systems come under review internally or when a 3rd party is being brought in to test systems unannounced with very little discussion around the “why”, a certain level of fear and frustration can begin to naturally impede the success of the overall project.
Start with Why
When there is open communication around the “why” and the goals of such a project, it can go from fears of my job being in jeopardy to we’re getting some reinforcements to help mature our posture. This change in mindset can be a huge asset to your organization. Therefore, the C-Suite should focus on communicating the “why” in order to strengthen the value of their cyber security strategy.
An exception would be an organization that has established a mature cyber program to the point of the need for an unannounced approach to test the team’s response to malicious operations being carried out against the organization. Organizations that participate in these exercises regularly can grow accustomed to this type of testing and in most cases, welcome the improved cyber security posture and learning opportunities testing and partnerships provide.
This type of healthy environment is driven from the C-Suite as they have the ability to set the tone for how things such as pride of ownership are addressed with IT staff. Allowing your organization to see the bigger picture can help not only make for a more engaged team but also a stronger, more resilient cyber security posture for your organization.
» Brad Pierce is the Director of Network Security for HORNE Cyber where he focuses on leading advanced penetration testing teams. Brad has more than 15 years of experience in network deployment, management, support, and information security.