We see that companies of all sizes often lack a strategy to gain buy-in from their stakeholders and thus fail to align on the purpose of assessments. Cyber risk assessments are a vital cornerstone of any risk management strategy. To make sure your organization is getting the maximum value of time and resources invested in these exercises, organization leaders must align their teams on the purpose of conducting the assessments.
With agreed-upon alignment, the teams involved will be able to conduct thorough, objective assessments to uncover risks and present their remediation plans in the context of why the assessment was deemed important and needed in the first place. Having this alignment will ensure the company has high-quality data for planning, executing, and continually refining its risk management strategy, as the business environment changes over time.
Who needs to be involved?
Although each company’s organizational structure may differ from sector to sector, the following table is a guide on the various personas that company leaders should include when establishing the purpose of assessments.
“Are the results of this assessment going to tell me something I already know and just give me more work?”
These personas typically like details, so preparation on scope clarity is key. Their departments are generally overworked, so avoid tasking them with a list of items. It’s also important to incorporate their feedback often.
Common Industry Titles: IT Manager, Analyst, OT SME
Concerns: Being secure enough to stop or limit attacks, having systems in place to alert them quickly when something happens
Primary Assessment Objective: Gaining valuable insights from the assessment they don’t already know
*Pro Tip: This person manages a busy team. They might view assessment results as simply adding to their workload. Using their feedback will help them see the real value in running assessments.
The people in these roles are likely very senior employees. Getting their buy-in is pivotal to the assessment’s success.
Common Industry Titles: OT Hardware Owner, Operations Manager, Facility P+L Owner
Concerns: Maintaining operations through an attack
Primary Assessment Objective: Minimizing day-to-day team impact during an assessment
*Pro Tip: Operational uptime is their primary concern. If running assessments requires a several day commitment from their teams, it will be a hard sell.
“The last thing I need is a consultant telling me I need to fix something.”
“How do I know that every team has enough resources to manage their areas of risk?“
This person focuses on high-level intent and resources. When it comes time for decision making, they appreciate being given important info as concisely as possible.
Common Industry Titles: C-Suite personnel, Auditor
Concerns: Managing resources to most efficiently mitigate risk
Primary Assessment Objective: Understand where improvements should be made and how quickly those improvements are made.
*Pro Tip: Executives might already have a solution in mind. This is important to consider when forming an alignment strategy.
Without cross-company alignment on the purpose for conducting the assessments, the quality of the data received is marginalized by competing objectives across teams. Results from each assessed area are then presented in the context of that team’s priorities instead of being shown in the light of the company’s purpose for running the assessment. These reports then feed strategy decisions that result in slower progress on maturity improvements.
Naturally, every team will want to get something different from assessments, and that’s okay. What’s important here is that these expectations are made known and documented so that every team buys-in on the value of assessments when their questions get answered.
We hope this helps you get your stakeholders to a common understanding. All too often, we see budgets and time wasted on new software, hardware, and other activities that are out of alignment with larger company goals due to misalignment. Did this guide help? Let us know below!