Know the risks
Naturally, risk is the common denominator between the two, and whether you’re on the physical security team or the cyber security team (or a combination of both), the conversation should center around risk tolerance, assessment, and mitigation.
Security leaders must consider internal threats and external factors that impact the business. Creating a baseline is essential for an organization to determine its risk tolerance and how leaders think about risk from a business perspective. Much of an organization’s overall risk response depends on its “risk tolerance.”
Security leaders can do a lot to reduce risk for their organizations by simplifying business architecture and reducing complexity. With all the technology tools a company has, leaders need to ask themselves, “Can we secure it?” Prioritization reduces risk.
When examining risks, security leaders must avoid communicating claims of “risk mitigation” to executives when risks are constantly changing. Instead, communicating how data/assets/people are protected and building trust is a logical way to add value to the conversation. Reiterating the organization’s readiness while communicating the most likely consequences of not protecting critical data is one way security leaders can communicate risk management strategies (whether physical or cyber).
One way to effectively communicate with C-suite and the board is to discuss the reputational risks to your organization. This reiterates the need for robust protection without getting too technical. For example, in healthcare, when a data breach occurs, reputations can be damaged. Similarly, when an incident of workplace violence or a shooting occurs, reputations are damaged. When networked infusion pumps are compromised (75% of these have cyber flaws that put networks at risk of attack), reputations are affected.
The threat of reputational risk has a direct link to the viability of an organization.
In non-healthcare environments, such as manufacturing, where resiliency is critical to ensure timely delivery of goods and disruptions can impact a company’s profitability and bottom line, it’s important to take a holistic view of risk, considering physical intrusion and detection, the integration of operational technology (OT) systems, and the ability to monitor all of these environments.
Form a steering committee
It’s not enough for one leader to spearhead cyber resilience efforts across your organization; collaboration is key. One way to increase collaboration is to form a steering committee of key stakeholders to discuss progress in measuring and mitigating risks to your organization.
The risk factors vary depending on whether a company sees data as a revenue stream or for business purposes. It may be effective to share the responsibility of keeping the data safe among key individuals within the organization.
Each part of an organization has a role to play in protecting the business, and the more that role is communicated, the better the policies and processes that meet that goal can be put in place.
Build a strategic roadmap
After the organization’s risk tolerance has been established, a strategic roadmap must be established to make decisions about technology investments, costs, and priorities.
Redirecting the conversation encourages collaboration and buy-in from the top down, where a “doom and gloom” message is ineffective. Security leaders can never secure their organization 100% – whether physical or cyber. If leaders can get all stakeholders to understand that it’s not about blocking everything, they can focus on limiting risk and preparing the business to continue to operate despite threats.
Without a clear path to a strategic vision to address risk across the organization, investments in these efforts can be wasted. A lot of money can be wasted trying to move in the right direction, so it’s important to focus that investment on managing risks that the company can control.
