Smiling Security (eBook)
358 Seiten
Lioncrest Publishing (Verlag)
978-1-5445-1180-1 (ISBN)
Every business, large and small, is vulnerable to cyber attack. If your company isn't wellprotected, its systems may be compromised by sophisticated hackers with malicious intentions. Business owners, boards, CEOs, and cyber security managers must work together to combatthis threat by putting effective security measures and organization in place. With SmilingSecurity, you can build one from the ground up in just ninety days. These powerful strategies from internationally recognized experts Mikko Niemel and PasiKoistinen will identify system weaknesses, catalyze change, and implement an ironcladsecurity plan that works within an established corporate structure. Business leaders willdiscover what to look for when hiring a cyber security chief, while cyber security managerswill learn to navigate a company's political complexities and to prevent catastrophes beforethey occur. Don't wait until a fire has already started. Let Smiling Security be your roadmap to cybersafetythat will have everyone smiling.
Chapter One
1. Know the Expectations (or Lack Thereof)
The ideal situation: a newly hired CSM reports for duty and, on his or her first day, is presented with a set of specific expectations and detailed objectives for cybersecurity set forth in a clearly written cybersecurity plan. The plan provides the CSM with concrete goals to work toward. It allows the CSM to hit the ground running and achieve maximum results in the shortest time possible. The CSM will be extremely effective because the company has a detailed cybersecurity plan in place.
Sound good? When it happens, it is. But how often does it happen? Almost never.
CSM Candidates: What to Ask in an Interview
- How do I get the management support I need for this job?
- Who is my sponsor in the company?
- Are you ready to invest in security?
Most of the time, the company has no plan, no set goals, no idea of scope and no clear expectations for the CSM they just hired. Typically, the company is only able to express to the CSM a vague desire, like ‘We want our data to be safe’ or ‘We don’t want to get hacked again.’ That’s not a plan.
In fact, most of the time, the company expects the CSM to come up with the plan. They also expect the CSM to resource, scope and execute the plan. The CSM, meanwhile, depends on the company to define parameters and provide a budget. With each party operating under the impression that the other should be providing the basic necessities, the CSM’s role often stalls out within the first week or two on the job.
Hiring a CSM: What to Ask in an Interview
- How did you build and manage security management systems in previous jobs?
- How would you set one up here?
- What do you think are the most relevant cyber risks for businesses like ours?
By listening to the candidates’ answers, you’ll find out if they are up to date on current risks and if they did their homework about your company. Their answers will also reveal the mental boundaries that limit their work.
It’s not that the company wants to leave the CSM in the lurch. Quite often, when a CSM is hired, it’s the first time the company has ever hired a dedicated cybersecurity manager. The company has no experience with having a CSM on staff. They have no history or established protocol for how to manage a CSM. They have no idea how to best utilise this new asset. The company isn’t thinking about what additional resources or support the CSM may require; they are primarily focused on budget.
Mismatched Talent
When a CSM is hired, they’re usually expected to function independently of any one department or team. Within any company, there are internal teams, or tribes, such as operations, finance, sales, marketing, legal, IT, brand management and so on. Since the cybersecurity role lies outside those power teams, the CSM has limited influence within the company. The way forward for the CSM is to work within the internal corporate structure to get on the agendas of those teams and personally influence the key stakeholders and decision-makers.
In many ways, the CSM’s effectiveness is limited by how well they can navigate the internal power structure of the company. CSMs have to work hard to gain acceptance into these tribes. This part of the job is something that is never mentioned in working contracts, it’s seldom taught in universities and it can come as a surprise for CSMs without significant experience.
For example, we know of a company that hired a very proficient-looking CSM with an impressive CV. While the CSM had deep technical experience, he lacked the people skills to work effectively within the company’s corporate culture. Instead of taking the initiative and proactively forging relationships, he waited around for department heads to invite him to a meeting. He ended up sitting in his office all day on the computer instead of communicating with company leaders and managers. In the end, he achieved little to improve the company’s cybersecurity, all because there was a mismatch between the company’s expectations and the CSM’s expectations. Each was waiting for the other to take action.
Sometimes companies don’t even know what kinds of skills the cybersecurity manager should have, so they end up hiring the wrong kind of talent with the wrong expertise. Hiring a cybersecurity manager with the wrong skillset is going to end in failure because the person hired doesn’t match up with the actual needs of the company. But it’s not the CSM’s fault, because the company didn’t know what they needed to begin with and didn’t make it clear during the hiring process.
If the company misunderstands the role and hires the wrong person, then little will be accomplished.
Problems Lie Ahead
Most companies hesitate to commit sufficient resources and budget for a robust cybersecurity programme. They often believe that the cost of hiring a CSM is the only investment they will have to make, though that is rarely the case. (The truth is that a viable defence against cyberattacks can cost hundreds of thousands of dollars.) Effective cybersecurity requires a significant investment beyond hiring someone to manage it.
That’s because cyberattacks affect a company on all levels—they require an immediate response, a careful consideration of the effect on corporate reputation and an adjustment of future growth predictions. When an acute crisis hits, the company first has to focus on the immediate practical problems, like endless help desk calls, a backlog of customer requests, and the possibility of being sued. Crisis management is the order of the day. At the same time, investors and owners are wondering how this hit to the company’s reputation will hinder the growth of the company. Inside the company, managers and employees worry about their own jobs and liability; outside the company, regulators and society are probably already reacting. The dollar cost of the attack itself is probably one of the last things on people’s minds.
Hiring a manager is only the first step. The manager may need to call on existing staff to take on new tasks; for instance, a network engineer might need to develop skills in network monitoring. Internal staff will be needed to build and execute solutions, and it may be necessary to hire external companies as consultants and to test the systems. If additional hardware and software are required, internal IT resources may have to be reallocated. These represent significant costs.
Organisational Structure: Putting It on Paper
When considering a CSM applicant, try this:
Hand the applicant some paper and a pen and ask him or her to draw a rough diagram of the company’s current organisation. Invite the candidate to explain how they would manage the structure. There’s no right or wrong answer, but you will learn a lot about the candidate’s organisational skills by listening to his or her response. If your request is met by silence, that is not a good sign—you may have a pure techie on your hands. The best candidates will have something to say about every piece of the chart.
Nevertheless, many companies refuse to allocate sufficient budget funds to cybersecurity—either to fix problems caused by a known cyberattack or to prevent an attack in the first place. So CSMs often find themselves in the difficult position of doing what they can with limited resources, even if it won’t be enough. If CSMs don’t have the interpersonal skills and initiative to gain access to key decision-makers in the company to lobby for more internal and external resources, they simply won’t be successful.
What does a lack of success in this role look like? If the CSM is ineffective, the company’s cybersecurity won’t improve, and may even be diminished. That exposes the company’s employees, customers, and shareholders to serious risks of breach, theft, blackmail, ransom payments, legal action, and more. What’s worse, hiring a CSM without allocating sufficient budget funds can lead the company to have a false sense of security.
The consequences of failure are also considerable for the CSM. Most cybersecurity managers don’t feel accepted, or even respected, by the companies they work for. If a cyberattack happens, the CSM is the one who gets blamed. If the CSM is terminated, she finds herself out of a job, and the company must spend time and resources to recruit and hire a new CSM to come in and fix the existing problems.
What Can a CSM Do to Succeed?
Cybersecurity managers first need to understand what they will be up against. They need to go into a new job fully understanding the challenges we’ve talked about in this chapter, including lack of access to decision-makers, limited or no budget, unclear expectations, a nonexistent cybersecurity plan and a general lack of respect for their role within the company.
Contact the Key Players
As a CSM, you need to contact key players in the company and familiarise yourself with their units and what they do. For instance, you could go to customer service and ask to...
Erscheint lt. Verlag | 3.11.2020 |
---|---|
Sprache | englisch |
Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
ISBN-10 | 1-5445-1180-9 / 1544511809 |
ISBN-13 | 978-1-5445-1180-1 / 9781544511801 |
Haben Sie eine Frage zum Produkt? |
Größe: 2,8 MB
Digital Rights Management: ohne DRM
Dieses eBook enthält kein DRM oder Kopierschutz. Eine Weitergabe an Dritte ist jedoch rechtlich nicht zulässig, weil Sie beim Kauf nur die Rechte an der persönlichen Nutzung erwerben.
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen dafür die kostenlose Software Adobe Digital Editions.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen dafür eine kostenlose App.
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich