Introduction
The article “Accountability in Cybersecurity: Save Money, Reduce Cyber Risk” captures BlackBerry’s recommendation on Accountability and Cybersecurity. Based on our conversations with local business leaders, many leaders of small to mid-sized businesses/enterprises (“SMEs”) struggle with both “Accountability” and “Cybersecurity”. As examples:
- Cybersecurity – Business leaders have been frustrated about sales and marketing efforts employed by sellers of cybersecurity products and services and the challenges tied to cybersecurity insurance. And, yes, some have shared painful stories of the cyber breaches they have experienced.
- Accountability – Business leaders share their concerns about employees’ inability to deliver projects on time and on budget and fail to provide “heads up” when milestones are missed.
In this article, we share thoughts on Cybersecurity and Accountability. As the BlackBerry blog indicates, to address and mitigate the risks of cyber breach damage both cybersecurity measures and accountability must be in place. Both cybersecurity and accountability must be “active”, from corporate strategy to individuals’ operating activities.
Major “enterprise” corporations spend $millions and even $billions on cybersecurity. And they spend those large amounts on accountability: personnel talent and training, sophisticated operating equipment, systems, and software including ERP, CRM, HR, etc.
SMEs do not have the resources required for enterprise level planning and operations. SMEs must settle for less sophisticated planning and operations, less cybersecurity, and less “human resources”. To remain competitive in this tech-advancing world, the leaders of smaller businesses must determine the extent of their investments in these important areas. With the rapid expansion of cyber risks, smaller businesses must improve their cybersecurity measures.
Regardless of the size of their business, for cybersecurity and accountability, business leaders must:
- Determine a budget for their IT expenditures, including a cybersecurity budget,
- Set affordable IT and cybersecurity goals,
- Set plans and define the actions to achieve those IT and cybersecurity goals [some actions, for example training, are not costly],
- Allocate the dollars to achieve those IT and cybersecurity goals [even if these investments are small], and
- Monitor actions to ensure accountability is in place and actions are yielding the desired results.
Cybersecurity
First, about cybersecurity insurance
We have provided education to help hundreds of leaders of SMEs understand cybersecurity risks. This has included review of businesses’ current practices, education on risks & rewards, and review of risk mitigation policies, processes, and procedures. Some leaders of SMEs have struggled with third-party risk management requirements initiated by larger, enterprise businesses and almost all these leaders have struggled with cybersecurity insurance.
Leaders’ challenges with cybersecurity escalated about 5 years ago when sellers of cybersecurity software and hardware tools began to actively market and sell their products to SMEs. At that time, cybersecurity insurance was not readily available to smaller businesses. About 3 years ago, insurance options for smaller businesses became available at affordable prices. Based on our discussions with leaders of smaller businesses, only a small percentage of smaller businesses have purchased cybersecurity insurance.
Up until about one year ago. insurance providers underpriced their cybersecurity services. With the proliferation of cyber attacks and breaches, the insurers lost $billions. Now, it is extremely difficult, essentially impossible, for smaller businesses to obtain cybersecurity insurance. To qualify for cybersecurity insurance, businesses must have well-planned and implemented policies, processes, and procedures. They must also have sophisticated software, hardware, and networks and be able to prove their personnel are well trained and monitor all security aspects of operations to ensure everything is under control. In summary, businesses must meet very high standards to qualify for cybersecurity insurance.
Cybersecurity insurance is not an option for most small and many mid-sized businesses. These businesses must rely solely on “self-insurance” and taking the measures they can afford to reduce and mitigate their cyber risk. Cybersecurity measures help protect assets and reputation. With assets and reputation protected, smaller businesses can achieve their goals.
Cyber Security Assessment
To understand cybersecurity risks, the first step is to have a third-party perform a cybersecurity assessment. Cybersecurity assessments will only happen when the business leader sees value in having them done. Cybersecurity assessments for SMEs can cost $50,000 to $100,000…i.e., the pricing of formal/sophisticated cybersecurity assessments is much higher than most smaller businesses can afford…and the cybersecurity measures these assessments recommend are equally costly.
If budgets do not allow such expenditures, other less expensive cybersecurity measures can be taken.
We recommend smaller businesses:
- Spend what they can afford to have cybersecurity discussions aimed at identifying the status of their cybersecurity. For example, filling out a short and clear survey then having a two-hour meeting with an advisor that can speak both business and IT languages can uncover key cybersecurity risks.
- Perform cybersecurity “mini strategy” sessions to begin to plan and implement affordable cybersecurity measures.
- Perform affordable training…building and maintaining awareness of cybersecurity risks and affordable actions that employees can take to reduce cyber risks.
Basic Defensive Cybersecurity Actions
The following slide is from a presentation we shared with business leaders, 4 years ago. It outlines 5 basic defensive actions. These basic defensive actions cost a small fraction of the cost of the package of actions recommended under formal cybersecurity assessments and many smaller businesses can afford to take these actions to protect their businesses.
Affordable Risk Management Processes
Cybersecurity is one of many risks faced by every business. Problems are reduced when time is spent thinking about risks and planning and implementing ways to deal with those risks. Considering the escalating cybersecurity risks, we encourage leaders of SMEs to ensure “basic risk-management” is in place.
The following two slides introduce what we mean by basic risk-management.
Cybersecurity measures are only successful when they have been performed properly. We have seen people fail at cybersecurity because they have not planned or taken action to succeed. We have also seen people fail at cybersecurity because they believed action had been performed and, in fact, that action had not been performed. Two examples: we have seen firewalls in place but not “turned on” and many people believe the big clouds are providing cybersecurity services under their lowest-priced service offerings.
Accountability is a necessary ingredient. People need to be accountable. And “software tools” can automate accountability activities.
Accountability
Leaders & Managers want control…so do Employees!
Cultures of accountability and business success can happen when the business leader ensures the right balance of accountability is established and sustained. Trust is at the core. Atmospheres of trust build relationships and strong team/community relationships naturally generate individual and team accountability.
We are complex creatures…I mean, people are complex creatures and they bring that complexity to work. Accountability can be simple/straightforward or complicated. Regardless, every individual person is complex.
Some people will be naturally inclined to take deadlines seriously and feel bad when they fail to fulfil commitments while other people will be far less sensitive to timing deadlines.
A blanket of accountability that covers all people is doomed to fail. Certain accountabilities can be applied to all people, however, it is best to custom-fit people to roles, recognizing those roles bring different types and levels of accountability. Ray Dalio did a good job of creating a comprehensive package of rules that set standards for accountability in his book, ‘PRINCIPLES’.
When we establish accountability for business roles and hire people to fill those roles, we must remember everyone wants a level of autonomy and freedom. Most, but not all, people want decision-making authority. People want to be able to choose what to do, how to do it…and where…and when. When their locus of control is threatened by others people tend to feel uncomfortable.
At the same time…
We want relationships. We want to belong in community. [We find stability and comfort in “Place”.] We want a level of law and order for protection. We want shoulders to cry on and we want help when we call for it.
Our egos are powerful drivers, our emotions are powerful drivers, and our needs are complex.
Abraham Maslow ranked a hierarchy of human needs…
Self-Actualization
Self-Esteem & Confidence
Love/Belonging [family first]
Safety [shelter, security, health]
Physiological [air, water, food, etc.]
If we under-estimate how complex people are when we apply accountability to them, we do it at our peril.
If we fail to appreciate the differences in people when we apply accountability to them, we do that, too, at our peril.
If you want to maximize accountability, match tasks to influence [and talents & strengths]
Full accountability is an unrealistic expectation. That’s setting the bar too high. There are many reasons why people cannot be fully accountable: they do not have 100% control over themselves; willpower has its good days and its bad days; they cannot exert perfect influence on other people; other people have minds of their own; multi-tasking is a distraction that takes focus off specific-task accountability…and there are many other reasons.
So…
Some of the people can be accountable some of the time.
None of the people can be accountable all of the time.
People can, however, be fully accountable for a few certain actions within their control. They can influence their own actions…not all their actions all the time, but definitely a few of their actions some of the time.
One key to success is matching accountability with those actions people can self-influence and perform with skill, repeatedly.
Consider each person whom you want to be accountable.
What specific actions do they believe they can be accountable for? Those are the things to focus on. Those are the right baby steps to take. Those are the actions that will bring constructive change.
Unless you know you know what people can be accountable for, don’t assume. Put another way, avoid the temptation to pick specific actions you believe or expect others can be accountable for. Instead, encourage others to help you understand what they believe they can be accountable for:
- Most likely they will pick items they know they can control or, at least, they think they have a good chance to control,
- Most likely they will pick items that align with their talents, knowledge, skills, and strengths…i.e., they will take talent to task, and
- Most likely they will pick items that align with their ability to exert self-influence.
This approach maximizes the buy-in, which is a key facet of accountability.
What if your people choose items that are unimportant vis-à-vis your company’s goals?
Well isn’t that something worth learning up front before you waste energy force-fitting accountability on the person?
The Bottom Line
Recognizing people are complex, think carefully about the accountability you need to fit your business culture and your business vision. Apply accountability to roles the select people who have the ability to succeed in the roles, meeting the required accountabilities.