Every Company Needs a Jessica

Published on 20th February 2020 Author: Rob Black

Where I live, you’re not allowed to park on the street overnight. Unless, that is, you apply for and receive an official town parking pass.
So I called my town hall to learn more.

Who answered the phone? Jessica. (Not her real name.)

Who processes the parking applications? Jessica.

Who is also responsible for block party permits, access stickers to the town dump, and dog licenses? Jessica, Jessica and Jessica.

Last time I called I said, “Jessica, do you do everything at town hall?” She laughed. “No, but I do a bunch.”

Every Company Needs a Jessica

You’ve probably met one of these people.

He or she is the person that knows everyone in the organization and their function. They know where all the documents are. They understand all the processes. They know how things work and they know how to get things done.

That’s why whenever we begin a new cybersecurity engagement with a client, we say, “Things are going to go much more smoothly if you have a ‘Jessica.’” Because in our experience, having a person like this in-house is the difference between projects that stay on track and those that flounder.

Cybersecurity is Documentation-Intensive

At its core, cybersecurity is information-based. Things like access control, policy standardization, vendor evaluations and more, depend on a precise understanding and documentation of how things work in a given organization.

The Jessicas are really good at keeping track of all this. Plus, when there are questions or decisions that need to be made, Jessica gets it taken care of.

Without one of them, the job tends to fall to the company founder or other high-level person with broad organizational reach. The problem is that these people, while certainly committed to strong cybersecurity, have lots of other responsibilities. It’s hard for them to maintain ongoing control of all the necessary pieces.

Who Should Be Our Jessica?

We look for an individual contributor (someone who can commit the time required for initial set up and ongoing oversight), whose domain expertise is the organization itself.

They don’t need security knowledge or even have high-level permissions to your systems. On an ongoing basis, their job is to act as a single point of contact for all relevant vendors, and to make sure that what needs to get done, does. That may include things like making sure security testing and training is done regularly, offboarding checklists are followed, etc.

Jessica might be the CEO’s executive assistant, the office manager, or a documentation manager. Their title is unimportant, as long as it’s someone who has excellent attention to detail and is well connected across the organization.

Final Thoughts

Jessica makes sure your security programs remain strong and up to date. They also remove the burden of managing this from a senior person who has many other responsibilities.

Find your Jessica. Because remember, it doesn’t matter how robust your systems and procedures may be. If nobody is managing them, it’s as if they don’t exist.

Gotta run. The town dump closes at five!

Next Steps

To receive great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).