Below I’d like to touch on one of the primary objectives of an organization’s compliance program.
The primary objective of any organization’s compliance program is to ensure, obviously, that they are legally compliant. This includes developing effective compliance strategies, conducting audits, and enforcing standards.
However, another critical objective which I would like to discuss has more to do with the people of an organization: it is to ensure that we, the people of an organization, are security-minded.
An organization will need to be dedicated to developing an understanding for all end-users of why we are taking certain security measures. Assembling a Compliance Committee comprised of members both up and down the chain of command. As an example, a committee made up of the Chief Compliance Officer and a mixture of both senior and junior leadership and representatives from each department.
An effective security and compliance framework employs the principles of decentralized decision making to empower all end-users within an organization to use their ability to mitigate cyber threats and to take ownership of their critical roles in keeping the organization secure.
Effective security must be enterprise-wide, involving every single person in sharing the collective responsibility of keeping their environment secure.
A significant move to improving your organization’s security posture is cultivating an organization-wide mindset of a cyber-secure culture. Organizational leadership will set the tone for this shift of mindset and should model good personal security habits based on sound guidelines. The involvement of both our senior and junior leadership is critical for a cyber-secure organization.
Implicit trust that senior leadership will stand behind junior leaders is critical. Without this trust, junior leaders cannot confidently exercise decentralized command. While employing technical boundaries, monitoring our network for suspicious activities, and scanning for vulnerabilities are all productive measures to improve organizational security, the weakest link will always be us: the people that make up our organization.
Why is decentralized command necessary?
Leaders who try to take on too much themselves may cause operations to quickly dissolve into chaos; the solution is to operate under the principle of decentralized command where micromanagement becomes completely unnecessary.
With clear guidance and established boundaries for decision making in place, subordinate leaders can act confidently towards the unified goal of cybersecurity.
One of the objectives of applying decentralized command within the realm of organizational cybersecurity is to explain why we are taking certain actions to safeguard our IT and business infrastructure. When all personnel fully understand the purpose of compliance and cybersecurity, how it applies to strategic goals, and what impact it has – they can lead and make decisions even in the absence of explicit orders or procedures. Maintaining a feedback loop for continuous improvement will allow our security program to mature.
With a firm grasp on the what’s and why’s of cybersecurity, all personnel should feel confident in carrying their share of responsibility of keeping our organization cyber-secure.
There is one more thing I’d like to touch on:
It is important to not quickly jump to punish or ostracize employees who may fail to practice good cyber-secure habits right away. Threatening too heavy of punishment for failing to report an internal phishing exercise, for example, will not necessarily foster understanding, but instead may lower morale and and up sowing paranoia amongst personnel. Instead of logically analyzing suspicious e-mails, they may just refuse to open any of them out of fear of getting in trouble! It is important to keep the objective of cybersecurity training in mind: develop confidence, not paranoia.
To learn more broadly about applying decentralized command, see Jocko Willink and Leif Babin’s body of work on extreme ownership.