In the last few days, I’ve had the opportunity to help several firms that have been impacted by WannaCry.
Their messages have been largely the same, in fact, almost identical. The verbiage changes a bit depending on what part of the organizational chart you are dealing with, but the overall theme was a remorseful, ‘I thought we had this covered.’ If you look around, you will notice that many of your peers tend to be reactive, it's human nature. That is in large part what lands them on the front page of a well-circulated publication in a light I’m guessing they rather not be cast in.
So the question is, how do they get there?
Managing up – One of the most recurring observations I see is when brilliant individuals fail to ‘manage up’. This concept, in the simplest terms, is helping the business understand the risk or exposure that exists (IN NON-TECHNICAL TERMS) so that they can make appropriate decisions on how to mitigate it. Conversely, the leadership within the organization sometimes overlooks or takes for granted the fact that I.T. understands clearly their vision, which is another problem entirely.
Don’t spike the ball at mid-field – If you are in midstream of your security program, at the end of your 3-year plan, or just starting one, don’t cork the champagne at half time. This is a something I’ve seen far too often and it is easy to spot. As we are all aware, complacency kills, so stay on target and strengthen your posture, constantly.
Measure the right thing - more than anything else, many organizations lack the tools to measure adequately their risk. If you aren’t measuring the criteria that aligns with the desired outcome, how can you ever achieve it?
As many of you know, one of my long-term career goals is to become a life coach. There is much value in gaining a ‘helicopter view’ from someone with broader life experiences than the ones you possess. While I’m not there today, I can tell you that proactivity can take you a long way. Remember that getting out over your skis is not being proactive, nor does it constitute such in a security program. If you are struggling with what ‘good’ looks like, ask your mentor, if you don’t have a mentor, get one.