Beyond the technical issues that businesses face with IT security, the greatest stumbling block to making change and implementing effective solutions is the human element, which boils down to two key problems - you don’t know what you don’t know, and although you inherently shouldn’t trust anyone, you have to trust someone.
In the previous entries in this series by my peer Joshua Wood, you read how IT security has become a growing and unavoidable issue for businesses today and how you can take the first steps towards better IT security. In this blog post, I’m going to address how you can to identify the right security partner to work with when tackling IT security.
The challenge with finding the right partner is that you can’t trust someone unless you know them, but chances are that you don’t have a long list of names to start from. Likely you have (or could easily find) an endless parade of pitches from potential IT security partners, but no clear – or foolproof - way to vet them.
MOVING TOWARDS A SOLUTION
So how do you address the issues and start moving towards a solution?
Leveraging your resources
Even if you don’t know any IT security professionals, your network does. Leverage your contacts – people you trust - to identify resources or individuals that others recommend. Additionally, there is value in attending industry events where you can actively talk to potential partners. Don’t be afraid to talk specifics – see who you connect with and what they have to offer. You’ll also meet people who can share recommendations and hear about current risk and mitigation strategies.
Considering your needs
Once you’ve drawn up a list of names of people / companies you may want to work with, it is now crucial to consider your specific needs.
• Do they align well with your organization’s culture?
• Will they see your business as a priority?
• Are they well aligned to your company’s size?
• Do they have any experience in your industry, or in your specific area of concern?
Have short list? There are a couple of steps to take to confirm which partner is the best match.
Stage #1: Get guidance and start small
Ask your prospective partner for initial guidance. If they have experience in your industry, with your specific concern, or with similarly sized organizations, they will have a few ideas about where to start (which are also important for corporate governance and policy). Make sure things feel right before moving forward, and then only start with a small project that will allow you to test their knowledge and the working relationship.
Stage #2: Ensure alignment
Assess how well they communicate and align with your culture. Can they work with different parts of your organization involved in this project? Can they integrate and mediate between external partners? A balance of experience, with technical and policy perspective, as well as the ability to communicate effectively with both technical and non-technical people is what makes a strong partner. Similarly, the ability to frame security risks and potential solutions in real-world language versus technical jargon is never more important than in IT security. Remember, if you’re concerned that you “don’t know what you don’t know”, imagine how your senior leadership or board of directors feel.
Only after you have found the right partner, put them through their paces and started building mutual trust, will it be time to move forward with larger and more comprehensive solutions.