The Secret Ingredient to a Successful Cybersecurity Program!

Published on 21st January 2021 Author: Rob Black

Back when I was in my early thirties, I worked out all the time: three days a week of basketball; three days a week of weights at the gym; and plenty of cardio, softball games and impromptu throwing sessions tossed in as the opportunity arose.

For a while, I even had a personal trainer – someone who met me at the gym and pushed me well beyond what I would have done on my own.

Today, a decade-plus later, my priorities (and muscle tone!) have shifted. I got married, bought a house, had a couple of kids, and launched a business.

Am I still interested in being in tip-top shape? Absolutely.

Am I still motivated to do the work required? Hmm… not so much. These days, the personal trainer could show up in my kitchen and he’d still have a hard time getting me back to my previous level of workout intensity.

So it goes with cybersecurity: motivation is an essential ingredient.

Effective Cybersecurity Programs Require Executive Commitment

A few weeks ago, I had an email exchange with the Director of Engineering for a 100+ person SaaS company. We had already engaged in several friendly phone calls, during which I had shared pricing and lots of information. Now, she was asking for a proposal.

Me: I need to speak with the CTO. We have not had success with a client without including the executive sponsor as part of the sales process. Understanding his level of commitment and future support is critical.

Prospect: To be frank, I am collecting quotes from two other vCISO companies. The CTO doesn’t want to meet unless we decide to move forward with your services.

Me: Understood. We are going to pass on creating a proposal. Good luck with your security program.

It may sound surprising for me to walk away at that point. But cybersecurity is a hands-on process.

Without sponsorship, involvement, and commitment at the highest levels of the organization – things that are clearly absent if the CTO opts out of the sales process – the program is not going to come together as it should.

First, because cybersecurity is inconvenient. It nearly always requires new policies (e.g., two-factor authentication, tightly managed access controls) and additional staff training. The Director of Engineering – even in a 100-person company – doesn’t have the organizational horsepower required to implement these steps across the entire enterprise.

Second, because cybersecurity is a contact sport. Unlike many other “tech things” within your organization (e.g., phone system, marketing software), this isn’t something that’s simply installed and turned on. Cybersecurity programs require customization and coordinated, hands-on work, from both the vCISO and internal players.

Third, because cybersecurity touches everything. As we’ve discussed before, your data security is only as strong as your weakest entry point. To make it work, you’ve got to have the entire organization on board; everything needs to be buttoned up, from top to bottom.

Three Necessary Elements

Among our clients who have been super-successful with their cybersecurity programs, these are the three elements that are always present.

An engaged executive sponsor. Someone who is plugged in, believes in the program, and has the influence and commitment to make it happen. Typically, it’s the Founder or someone with the letter “C” in their title (CEO/CTO/COO).
Periodic meetings. Sometimes weekly, sometime bi-weekly. It’s less about the specific timeframe than about creating a schedule that demonstrates company-wide dedication to the outcome.
A Project team. At a minimum, you’ll need a capable and plugged-in admin as well as a technical lead. These two people keep things moving on a daily basis.

You know what’s not a requirement? A dedicated budget. Of course, that’s helpful.

But absent that, as long as the executive in charge is determined to make it happen – whether by borrowing from other company resources, prioritizing tools and configurations, or finding other creative ways to push things through – it happens.

Final Thoughts

Cybersecurity programs are not “plug and play.” And they’re certainly not magic. The most important factor in rolling out a successful program, bar none, is executive commitment.

Now if you’ll excuse me, I’m off to try and dig up my old personal trainer’s phone number. Nah, I’m just kidding.

Want to get great cybersecurity content delivered to your inbox? Sign up for our monthly newsletter, Tales from the Click! https://fractionalciso.com/newsletter/

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).