(There are little support for our resiliency plan!)
Why “push” when you can get much better support through “pulling” actions? Nobody likes to be told to do something, especially if they are not seeing the need for it. They are not seeing the need, because they are not feeling any “pain”. So, the best way to get unsolicited support is to make the employee part of the analysis. That way they will discover the potential personal risks themselves without you having to tell them. How do we do this? The following would be an excellent starting point to get adequate buy-in and commitment:
- Design a systematic framework analysis that is repeatable and could be used by all – The right starting point in any organization would be to design and implement a common repeatable framework to continually serve as the basis for regular assessments to uncover vulnerabilities. This framework should include the intention of seeking factual quality data with a “groundswell” bottom-up approach.
Your staff is the best resource for security intelligence. They are executing and using the various policies, processes and procedures in the organization and they are normally the best source for identifying vulnerabilities. In fact, they normally also have the best answer to ensure resiliency around that vulnerability.
- Provide useful tools and templates that could create a common approach and language – Your framework should have a common structure of templates and tools that could provide the guiderails of how to access and process data that could substantiate a particular vulnerability. You cannot expect any organization to assess the whole organization for vulnerabilities because that will take too long and everyone will lose interest very quickly.
You should start by providing some kind of prioritization commonly supported tool that will identify the 20% policies and processes that would be most pronged to breaches. Once you’ve identified the appropriate process to be analyzed you need a very good investigation approach to identify the common underlying reasons to be addressed. This should be followed up by a solution finding template that is understood by both Management and the workforce to develop a good resiliency plan.
- Provide in-house expert help to facilitate challenging situations – You cannot expect your workforce to have the necessary skills overnight to perform the above. Therefore, it is normally advisable to make use of professionally trained in-house experts to lead and facilitate these groups to extract the quality data as efficiently as possible.
Coach certain key employees, strategically positioned across the company, in the effective use of all the templates and how to facilitate teams in order to arrive at that quality information. With an in-house expert in charge of the facilitation process the Subject Matter Experts can contribute freely without any restrictions to ensure the best possible quality data.
- Involve the employee at source – We always maintained the following mantra “Ask the right question from the right person to get the right answer!” Management is busy with managerial responsibilities and in most cases far removed from what is actually happening on the ground. They will not know if certain employees are “cutting corners” or if a policy is only partially followed or not followed at all.
A facilitator who is professionally trained would be able to extract the necessary information most effectively using the appropriate templates and associated worked questions. These templates provide the necessary guidance and will guide the facilitators and their teams to arrive at the best resiliency build plan that could be wished for.
As you can see there is a theme developing from all of the above points and that is, the person closest to the source is the best person to provide specific factual and actionable data.
Summary
The message is clear. We cannot expect the Risk Team to do the best possible intelligence gathering for the company when we have all the necessary resident intelligence residing with our staff working at source. The workforce needs to be engaged and their resident intelligence leveraged as effectively as possible. You need a framework, tools, template and worked questions to execute that.
Please look at the KEPNERandFOURIE® HeatMap encompassing the factors of Threat Actors, Company Processes & Policies, Probability, Detectability, Disruption, Manageability and Livability all in one template to provide an indication of “flashing” hot spots. See the link here.
SelfCYBER™ is a robust, disciplined Continuous Security Improvement approach leveraging the resident intelligence of company staff to continually assess and fix security vulnerabilities. This is done through professionally developed in-house Cyber Solutions Experts (CSEs) strategically deployed across the organization.
