Cybersecurity resilience starts with leadership and a strong operating model
Snapshot
Once upon a time, cybersecurity concerns were relegated to the IT team, and company leadership was rarely involved. Oh, how times have changed! Technical deterrents no longer suffice, and organizations must build a security-conscious culture from the top down.
A credit union was having trouble consistently executing cybersecurity initiatives in a way that engaged leadership. At the time, it largely relied on a reactive strategy rather than one that proactively addressed compliance. The credit union enlisted Kalles Group to help build a solid operating model for integrating cybersecurity into business practices, improving collaboration, and building trust across the organization.
Challenge
Why top-level collaboration is now the sine qua non for IT risk management
Given the frequency and sophistication of today’s cyberattacks, it makes the most sense to see risk management as everyone’s responsibility. Technical safeguarding methods like firewalls can only go so far when hackers are adept at impersonating the CEO in an email and enticing an unsuspecting employee to click a link that swiftly siphons off millions from company coffers.
What is essential in this day and age is direct collaboration among leadership with a focus on cybersecurity and a consistent, company-wide execution of pertinent initiatives and objectives. Leadership is critical for building awareness, maintaining accountability among employees, and ensuring that risk management is built into all business processes.
Working with Kalles Group, the credit union set a goal of transitioning to a more connected and aligned cybersecurity leadership team marked by high levels of trust, effortless communication, and transparent, agile execution.
A truly proactive approach hinges on a robust cybersecurity operating model
A major weakness in the credit union’s cybersecurity program was the fact that its approach was largely reactive instead of proactive. The best cybersecurity strategies use a combination of both. Obviously, it is essential to know how to stop hackers in their tracks (and minimize the damage they cause) after they break through at least one security layer. But it is just as important to focus on preventing any level of breach in the first place, using methods such as endpoint management, ethical hacking, and staff training.
An operating model is the best way to implement a proactive strategy because it makes it easier to undertake compliance exercises. When faced with external pressures or regulatory mandates, an organization lacking an operating model can find itself scrambling to identify and understand the necessary compliance requirements. This could lead to missed compliance deadlines, difficulty adapting to evolving regulatory landscapes, and non-compliance.
Cybersecurity initiatives often require change — but change can be tough
Although the credit union had undergone significant changes within its organizational structure and leadership team over the prior fiscal year, its corporate culture was not accustomed to processing change. People at the organization tended to be quite risk adverse, and trust had not yet been established across organizational touchpoints due to the recent establishment of a larger and more engaged cybersecurity team.
The new team suffered from minimal visibility at the internal team level, business unit, and broader organization with respect to its new role and priorities. As a result, the current state of the operating model had resulted in disjointed processes, ambiguous expectations, a lack of accountability, and varying experiences. This in turn led to avoidable disruptions, reactive processes resulting in extra work, much frustration, and a further loss of trust and credibility.
With a focus on change management and trust building, the credit union looked to Kalles Group to build a more streamlined operating model for embedding cybersecurity awareness and accountability into all levels of the organization.
Approach
Facilitating change management with structure, communication, and collaboration
Kalles Group leveraged expertise in stakeholder management, project management, and change management to design a new operating model for cybersecurity. This model was aimed at creating structure, consistency, and predictability, with the overarching goals of enhancing trust and creating a culture of clear communication, transparent and agile execution.
The operating model consisted of five foundational elements:
- Strategy. The team shifted from annual strategic planning to regular sessions and implemented daily check-ins, weekly/bi-weekly team meetings, and monthly review meetings. They also developed and facilitated quarterly strategy sessions based on observations from daily, weekly, and monthly sessions.
- Execution. The team developed a tactical execution strategy, mapped workflows and dependencies, centralized cybersecurity information for easy access, supported change management activities, and performed user testing against new processes for continuous improvement.
- Collaborative execution. The team established working agreements, engaged in coaching for cybersecurity senior and executive leadership, brought in early engagement from impacted teams, and reviewed and redesigned processes to foster collaboration.
- Communication. The team developed artifacts for communication at multiple levels, engaged key stakeholders to align cybersecurity initiatives with organizational objectives, provided timely communication on the status of initiatives, and established consistent and predictable communication elements.
- Sustainment. The team addressed past challenges in starting and sustaining efforts, identified potential obstacles to starting steps toward the operating model, and evaluated which elements were already being implemented.
The purpose of the operating model was to delineate an optimal “future state” characterized by broad improvements in collaboration, communication, and performance with respect to cybersecurity. Guided by this vision, the leadership team can systematically address priorities and execute incremental steps. Each stage represents a milestone in which specific aspects of the new operating model will be implemented, tested, and refined.
Kalles Group also designed a Microsoft M365 SharePoint site that was designated as a Center of Excellence (CoE) for cybersecurity documentation. This serves as a centralized hub for organizing, managing, and collaborating on various cybersecurity processes and documents as a single source for the organization. With the launch of the CoE, the credit union is in a better position to foster collaboration, increase knowledge sharing, and strengthen best practices.
Results
A cybersecurity operating model that enhances collaboration and performance
Although the project is still in the early stages, the credit union is well on its way toward reaching the desired future state characterized by a connected, aligned leadership team that contributes to improved organizational performance. The new cybersecurity team is already reaping the benefits of enhanced cross-group collaboration, more streamlined organizational execution, and higher-level contributions from individuals.
By taking an incremental approach to rolling out the operating model, the credit union has also managed to avoid any major disruptions to ongoing operations. This approach involves prioritizing certain key changes and implementing them carefully while navigating through the structured pathway of readiness and development. This gradual evolution has allowed the organization to adjust its strategies based on feedback and ensure workforce alignment throughout the process.