We see it in the media, major stories of companies being breached, data being exposed, companies making significant errors through responding to phishing attempts, sometimes though, perhaps a gap in direction, policy and process was in action.
Much less frequently published is that often at the core of many of these incidents, the answer to the questions that highlight how much could it have been mitigated, or at the very least if there had been the reasonable checks and balances, policies, and procedures. More deeply had there been strong leadership to support a robust security posture and culture?
To be specific, we’re not talking about just the big multi-nationals with million-dollar security budgets with CIO’s and CISO’s at the top, we’re talking about fundamental technology leadership practices that apply to all businesses, big and small.
Who’s leading technology in your business?
We engage regularly with business owners and leadership teams to discuss operational risk and business continuity, and when we review the key tenants of the organisation, often technology, though recognisied as business critical, is not led or managed with the same focus or intent as say finance or human resources, IT, well it is just there, a cost centre, and someone else is looking after it… right?
The challenge we face is that as businesses move closer to external IT, e.g. cloud, subscription software and managed services, we see a lean towards trusting the system and features like high availability or geo redundancy, and somehow, the ownership of technology within the business can be outsourced too. Let’s face it, you’re not paying for leadership, you’re paying for a service and with it a false sense of security can develop around responsibility and ownership, consciously or not.
The truth is that if the service goes down, or you suffer an internal breach, or a disruption happens at a platform level, you will be left holding the proverbial bag, no matter the SLA or what the guaranteed uptime may be, in the end its your business that will feel the pain. Potentially an incident may have such an impact as to break the trusted relationship with your customers, because customers aren’t worried about how an “upstream provider or 3rd party” dropped the ball, because they don’t pay them, they pay you.
The questions will come:What did you have in place to prevent this? Who’s got my data? How did this happen?
How well are you prepared to answer it?
Looking deeper, we know that when most breaches occur, nobody is the wiser, unlike a broken door or window, sometimes the incidents occur a long before its known, and this is designed to maximise the effectiveness and the potential to extract valuable data, or worse still, hold it to ransom.
It might all sound doom and gloom, but there is something that you can do, take ownership, and more importantly remember, that just because you use external IT, or use cloud services and software from large organisations, it does not mean you delegate the ownership and leadership of technology, in fact it is critical that you don’t.
Is it time to take control?
Leadership sets the direction and empoweres people, and sets the tone for ownership in the business which ensures everyone knows the part they play, and it needs to be sponsored. Technology needs investment beyond systems and solutions, policy needs to be set, processes developed, and programs focused on upskilling and education for your users that enable them to take ownership, the ownership that they will bring with them as you lead them on the journey.
If you’d like to understand how to develop technology leadership in your business, we can help, firstname.lastname@example.org