In the span of a few short months, our world has become more virtual than it has ever been. For service organizations, this means not only work-from-home scenarios across functions but also the need to provide remote service to customers. As such, companies have turned to digital tools to allow employees to stay connected to company leadership, employees to stay connected to one another, and for customer communications and service to remain intact.
We’ve discussed many themes this evolution brings about, including accelerated digital transformation, a speeding up of Servitization and outcomes-based service approaches, and lessons in virtual leadership. One topic that was brought up to me recently that we have not yet discussed, however, is how this rapid uptick in remote connections is significantly increasing the need for more robust cyber security initiatives. Whether data is being transferred within the company, or to and from customers, rising remote connections and more data transfer equal greater security risk and it’s important to address that fact to protect your company, and customers, from harm.
I came across an article recently from Umesh Yerram, Vice President and Chief Data Protection Officer at AmerisourceBergen that presented some excellent points on building a purpose-driven security organization. As service organizations ramp up cyber security efforts, ensuring you have the right skills, structure, and processes in place are all imperative. Below are five important pieces of advice Umesh shares based on his experiences:
#1: Aligning with organization’s purpose. “Most of the security practitioners are very technical resources and enjoy dealing with bits and bytes. But if those same security practitioners internalize organization’s purpose and understand how their daily activities contribute towards meeting their organization’s purpose then it increases their productivity, sense of ownership and job satisfaction. Every member of the purpose driven security organization should have the same goal regardless of which security team (or any team in general) there are part of,” says Umesh. “For example: healthcare security teams should understand how their role & responsibilities contribute towards positive outcomes for their patients or security teams in other industries should understand how their roles and responsibilities contribute towards their customers’ experiences when using their company’s products and services. Once that understanding is crystalized then security teams are more focused on contributing towards organization’s purpose than just bits and bytes.”
#2: Break down silos. “Over the years each information security area – IAM, GRC, Data, Cyber, Awareness – has become more complex and challenging. However, every area is not independent but contributes towards the greater goal of securing the organization to meet its purpose. Security teams tend to focus on complex projects within their areas without learning about the other security projects and gaining a good understanding on how all those projects fit into the overall big picture,” explains Umesh. “Breaking these silos constantly enables the security teams to understand the big picture and how their efforts contribute towards the overall goal to serve its purpose. Whether it is opening individual team meetings to all security team members or using monthly town halls to help reinforce the interconnected nature of the projects will enable collaboration and seamless integration of different security capabilities.”
#3: Hire the heart, train the mind. “There are millions of open information security roles due to lack of skilled information security professionals. Information security teams must think outside the box to hire – System Administrators, DB Administrators, Application Developers, Veterans, Communication majors etc. – and focus on hiring diverse, smart resources who have the right attitude and eagerness to learn,” says Umesh. “Technology changes rapidly, therefore, if you focus on hiring resources based on current skills then those skills will be outdated quickly. However, if you have the team with the right attitude and appetite to learn new technologies quickly then they will constantly upgrade their skills and continue to serve the purpose long term.”
#4: Build a sustainable winning roster. “Like every NFL team, every security organization has a cap when it comes to building its roster. Security teams can take a leaf out of NFL roster building playbook (no pun intended). Building a security team with experienced veterans along with new experienced hires (free agents) and fresh graduates (rookies) is a winning combination. This is model will help new experienced hires and recent graduates to assimilate with company culture and learn from proven veterans while building a team for the future without missing a beat to serve the purpose in the long run,” suggests Umesh.
#5: Develop a trusted partner network. “Vendor partners are an extension of the team. Building a strategic vendor partner network with those who understand and share your purpose and help you meet that purpose is critical,” notes Umesh. “Vendor partners who are only interested in a transaction-based relationship are not long-term partners and will impact security team’s ability to serve its purpose. Building a strong collaborative partnership with vendor partners that you can leverage to influence their services and products’ road maps to meet your strategic goals will be mutually beneficial and delivers value to both organizations.”