In 2020, with attack surfaces growing due to ongoing digital transformation, as well as an increasingly remote workforce in response to the COVID-19 pandemic, it’s more important than ever for companies to collaborate effectively in order to get the most out of their cybersecurity tools and practices.
Our recent webinar, hosted by SecurityScorecard’s Sales Enablement and Training Lead Leon Hassid, featured guests Paul McKay, Senior Analyst at Forrester; Cathy Pitt, Chief Security Officer (CSO) at Plex Systems; and Kenneth Ord, Head of IT Security at Modulr. As a panel, they discussed the importance of enterprise-wide communication around cybersecurity and the steps they have taken to build a more collaborative environment at their firms. For those of you who missed the webinar, we’re excited to share five key takeaways below.
1. Cybersecurity and business goals need to be 100% aligned
Panelists said that aligning security policy with business goals is a major imperative for their firms. This starts with security teams understanding business issues—such as revenue goals—and business leaders understanding security requirements.
“Collaboration really is the key here,” Pitt said. “Determining the value of assets, or what’s going to most heavily impact the business, is a business decision. If the security lead doesn’t have a seat at that table, it’s very hard for them to begin that flow of collaboration.”
McKay added that many firms are leveraging risk ratings solutions to effectively prioritize cybersecurity spending, which also supports revenue goals.
2. Cybersecurity is everyone’s job
Pitt insisted that cybersecurity needs to be a culture-wide core value that relies on constant communication and cooperation. It also requires the empowerment of all employees—even non-security personnel—to do their part to minimize risk.
“I think the thing we need to do better, and that we certainly do at Plex, is that [cybersecurity] becomes part of your job,” Pitt said. She added that passion and support from the top down are two of the key areas that make companies successful.
Ord agreed and added that with the right incentives, processes, and tools, any team can have a positive impact on an organization’s security posture.
3. Drive collaboration with third parties and vendors
Panelists also discussed the importance of establishing meaningful relationships with vendors, and how security ratings help their firms engage in productive conversations with their third parties to resolve issues.
According to Pitt, “security ratings open up a lot of really good dialogue, and in some cases when you start that conversation, that vendor is surprised. They thought they were doing everything right, so it’s a good opportunity for them to make changes in their environment as well.”
Ord noted that at Modulr, the firm is better safe than sorry when it comes to third-party risk management. “We use SecurityScorecard to evaluate every third party that we do business with,” he said.
4. Provide insights that drive executive and board member engagement
Forrester predicts that cybersecurity ratings will become a de-facto standard in the boardroom by 2025. For the panelists, security ratings are already a vital boardroom communication tool that helps drive engagement.
“What I’ve generally found is that the risk ratings solutions have been a real level-setter,” McKay said, explaining that it’s easy for executives to track a letter or number rating and have productive conversations about the factors that are driving it.
This has certainly been Ord’s experience using cybersecurity ratings at Modulr. “Our SecurityScorecard Rating is one of the very few metrics that goes to the leadership team on a weekly basis,” he said. “With no explanation, they know exactly what it’s telling them.”
5. It’s about choosing the right tools
Lastly, the panelists discussed how they favor cybersecurity tools that integrate easily into their existing operations.
“Orchestration is a big go-to word these days,” Pitt said. “It doesn’t make sense to invest in a tool that isn’t going to work easily with all of your other tools, so API’s are really the name of the game […]. You can’t invest in something that’s going to be standalone and force you to go off somewhere else to look for answers.”
Highlighting the need for seamless workflows, Hassid added that many SecurityScorecard customers have found value in Atlas, our questionnaire exchange and validation platform, because it automatically maps SecurityScorecard Ratings data to individual questionnaire responses. With this unique integration of cybersecurity ratings with vendor-provided responses, our customers can more easily prioritize assessment review, saving security & IT teams countless hours.
Conclusion
These are just some of the many insights gained from the dynamic panel discussion. We encourage you to watch all of our panelists in action and view the entire webinar here. Want to lean in more? To dig deeper into this topic and start building your modern cyber risk management team, download our ebook, “Five Steps to a Modern Cyber Risk Management Team.”
