Regardless of the industry vertical, organisations that have email, a website, a phone system, or even just people using computers, will require cyber security at some level to protect their abilities to keep their businesses running smoothly. Depending on the organisation, they will also be at varying stages of their digital transformations, whether they’re going all-in on cloud or want a mix of cloud and on-prem solutions to support their business and applications. Added to this, every organisation has unique needs, regulatory requirements, budgets and priorities. Therefore, every organisation also needs to go through the process to understand each of these to create a roadmap for how they are going to protect themselves.
With the many varieties of security products/technologies available, understanding what the organisation needs can often feel like a daunting task. And just buying the technology doesn’t suddenly make the organisation protected. Technology needs to be implemented and maintained, it needs to integrate with other technologies and processes, and – importantly – it needs to work without becoming an impediment to doing business.
A trusted advisor approach
It can be difficult for many organisations to know where to begin when creating a digital roadmap and this is where a trusted advisor can make a big difference. Unlike a technologist who will be able to advise on the implementation of security technology, like installing or maintaining a firewall, a trusted advisor can take into account the full picture, aligning both the technologies and the processes that underpin the cyber security programme.
Trusted advisors can take many forms, depending on the requirements of the organisation. For example, it could be an assessor that comes in and helps identify cyber security gaps, like a lack of consistent patching on servers, in order to help determine how to close them. Or it could be someone that helps align the organisation to specific security frameworks or regulations, such as HIPAA/HITRUST, PCI, ISO 27002 or NIST CSF. These compliance aspects can be critical to the organisation’s ability to win contracts from Fortune 500 companies.
A trusted advisor could also take the form of an individual that supports a CISO or Director of Security to act as a sounding board to flesh out ideas and help identify costs and risks. This expert may even assist in writing the business case for cyber security, or with drafting the initial presentation given to the board or manager to request and secure adequate funding. It could also be someone who acts as an educator and can aid in preparing for an external audit or review. The trusted advisor may also serve to enhance the organisation’s training curriculum to support the business with ensuring people understand their roles, especially in organisations where employees wear many hats. This can help business leaders define and manage expectations of their employees.
How to empower your chief information security officer (CISO)
What does a good trusted advisor look like?
Features of a trusted advisor that should be considered include:
- The ability to utilise other subject matter experts. As no single individual will have an unlimited skillset, a trusted advisor should have resources available to help provide deeper knowledge as needed.
- A trusted advisor should be working in the best interests of the business. While vendors have fantastic advisors for sizing and implementing their products, there may be some concern that a recommendation is likely to benefit their organisation more than the one they’re meant to be advising. For an advisor to be trusted, business leaders should feel confident that any recommendations are based solely on their needs.
- The ability to learn about and understand the organisation. More important than someone who can walk in and provide a roadmap on day one is someone who can step in and understand the organisation first. After all, there can be no roadmap without this understanding as a starting point.
- They must be relatable. Sometimes the depth and breadth of someone’s experience can be so impressive that people will overlook the fact that they can’t actually work with them on a personal level. They say that job interviews are primarily about ensuring you can work with someone. This is also true with a trusted advisor.
Getting the board on board: a cost-benefit analysis approach to cyber security
Considerations to working with a trusted advisor
When thinking about working with a trusted cyber security advisor, it’s worth considering what form they may take and whether the organisation can attract the necessary candidate with the right skillset – or even whether the right person is already employed by the business. Will the organisation be looking to hire a full-time advisor, or can the job be done in a few hours per week? Will the business be able to support the time required for them to train and stay abreast of trends? How will they maintain insight into other similar organisations to learn from these experiences? Will they come with a network of subject matter experts that can be pulled in as required? In a lot of cases, it may be less prohibitive to take on an external trusted advisor whose job it is to tick all the boxes from the outset.
A trusted advisor can take the form of a person or team of people, hired or brought in externally, that will help assess the business from a cyber security perspective and assist in planning the next 2-3 years of the organisation’s cyber security programme. This means organisations can make purchasing decisions and process changes that are aligned together to build a solid programme, and improve cyber resilience as well as business resilience, while lowering the risk of becoming the next big headline for the wrong reasons.
