In a previous blog, we discussed Commander’s Intent for CEOs and introduced 10 questions CEOs should be asking their teams.
In this blog series, I am going to take a deeper dive into each question and break them down one at a time. We will discuss why CEOs should care about each question and the type of answers teams should be providing.
This week we tackle the question:
“Do we have an ongoing, continuous assessment and improvement plan?”
“Perfection is not attainable. But if we chase perfection, we can catch excellence.”
Continuous improvement seems like common sense for any function but after meeting with teams all over the world, I can say it isn’t that common.
For a security function to be successful, there should be a process for continuous improvement. This could arguably be the trait that separates successful programs from ones that aren’t. Too often, security becomes rigid without a loop for improvement.
As your organization grows and evolves, so must your cybersecurity program. Risks, threats and vulnerabilities change over time. Business models change. All of these factors matter for a program to evolve and constantly improve.
The inputs to security assessments vary and can be built internally. There are also plenty of qualified external entities that can help assess the program and put a plan in place for continuous improvement.
Steps to creating a culture of continuous improvement:
1) Set goals for excellence and measure against them.
For cybersecurity to be successful, the mission of the program, goals, and success metrics should be agreed upon and reported on regularly. Maturing your program will take a steady hand and patience at your level. Changing missions or strategies too often is a sure way to miss any security goal you have.
2) Eliminate fear
For continuous improvement to be successful, your organization needs a culture where failure is OK. If your employees are afraid to bring up issues, you will never improve. Employees also need to feel like management is addressing failure when it occurs. Having a great process in place with a feedback loop to improve will ensure a culture that minimizes fear and maximizes improvement. It’s also amazing for employee engagement.
3) Actively manage the process
As with any process, continuous improvement should be managed. The outputs of managing this process may include both tactical and strategic efforts. Your team should have a process to manage and report up to appropriate levels on these efforts.
4) Train and develop leaders with the same mindset for improvement
Leaders in your organization should be trained on improvement techniques and best practices. They should also be rewarded for offering improvement suggestions and, more importantly, for executing on the efforts needed to improve. These types of employees and leaders should be developed and retained to maximize the continuous improvement cycle at your organization.
5) Focus on fixing..not blaming
Far too often, we see CISOs and cybersecurity leaders being blamed and/or replaced as the result of a failure. This has to stop. What other function in an organization is held to the standard of needing to be 100% right all of the time? In almost every case, a breach is systemic and there are multiple points along the timeline that lead to the breach.
Creating a culture that focuses on improvement versus blame will create a ripple effect in your organization allowing leaders to operate more freely. Things will happen. Acknowledge that failures will happen. Acknowledge that people will make mistakes. It’s not what happens when someone makes a mistakes or when something fails but how your organization responds.
Cybersecurity isn’t about perfection. It’s about failing fast, iterating, and constantly improving.