A fool with a tool is still a fool…

Remember that saying? We usually mention it in relation to software or IT solution implementations, but today I want to focus our attention to Cyber Security Risk Management.

Looking into the vulnerabilities and potential Cyber Security threats in a business, it is quite clear that we need to look beyond the technology. It’s not just about attacks, technical failures or defects. You also need to look at human error and organisational weaknesses.

What do I mean by that? Well, technical failures and defects happen every day. But even when you come up with a scenario where you have zero defects and absolutely no technical failures in your technical infrastructure you may still be vulnerable to attacks or other forms of cyber crime.

No system can predict that your junior admin person, or your VP of marketing is going to click on an image of link that has embedded code.

As an IT Service Management specialist this doesn’t surprise me. It was never about the technology, it never has been. Technology solutions have always been a way to achieve a business outcome or a way to solve a bottle neck.

RACI Diagrams

There are always people involved in the processes. (at least until AI is taking over most of the tasks.. but that is a whole other story). Therefore it is important to train and educate people so they understand their role in the process. Create RACI diagrams for every process so it’s clear to every party involved who is accountable (can only be one), who is responsible for carrying out the tasks, who needs to be consulted and who needs to be informed. Once it’s on paper it becomes obvious to everybody involved where the gaps in the process are.

HR Training Plans should include Cyber Risk Awareness

The next step is to identify the training and education needs for each person in the process. Again, put it on paper so we can see where the gaps are, obvious or not… The HR department will be able to help here. They have training plans and career paths mapped out for your employees. Cyber Security Awareness should be part of this plan so make sure you include HR in your Cyber Security Risk Management discussions.

It is your responsibility to make sure you don’t create fools using the tools in the business. Make sure everybody knows what they should and shouldn’t do. This goes beyond the procedures and user manuals for the software applications we use in the business. This also includes talking to your employees and team members about the goals, vision and mission of the company and the role they play in achieving those goals. It means including everybody in discussions around security and empowering your team members to ask questions and ask for help when they are in a situation that they are unsure about. Cyber Security Risk Management is everybody’s responsibility.

In IT Service Management we talk about this in the context of Availability, IT Service Continuity¬† and Information Security Management because these processes are the most obvious places to start when you need to consider how to keep the IT services available to the end users and customers. Isn’t it time to include Cyber Security Threats and vulnerabilities in the overall Availability Management discussions?