Another day, another piece of snail mail junk.
But wait a minute… why am I getting mail from the town of Marlborough, Connecticut? I’ve never even been there.
Ah, but it seems I know someone who has.
Because inside the letter was a fuzzy picture of my car – the one my wife drives and that is registered in my name.
And not just a picture. There was also a $65 speeding ticket for going 44 in a 30 MPH zone.
“Rachel, were you in Marlborough, Connecticut two Saturdays ago?”
“No. Oh, wait. I had lunch with my parents.”
“Um, were you going 44 in a 30 MPH zone?”
“Of course not. Well, maybe.”
“They had an automated traffic cam. It looks like they got you.”
True or not, I wasn’t happy. Why are they sending ME a ticket when I wasn’t driving?
So I appealed (twice) until they gave me an online hearing date and an opportunity to make my case.
A couple of weeks later, I jumped on the Microsoft Teams meeting as instructed.
One minute, two minutes… seven minutes past the scheduled start time and still nobody joining me. So I logged into the “other” standing meeting they have for tickets (why do they have two)?
Still nothing.
Finally, after a couple of bounced emails came back, I consulted my favorite LLM and asked what to do. It gave me some additional contacts.
I sent more emails, and eventually (20 minutes?), I got a call from someone at the town of Marlborough:
“Good news, we are having some IT problems with the meeting. Case dismissed.”
And that, is the power of just showing up.
(Granted, it kind of made me wish I had been accused of a more serious crime, but that’s fine, I’ll take it!)
Showing Up is Half the Battle
As with speeding ticket appeals, when running a cybersecurity program, there is a lot to be gained by showing up.
Yes, being an expert helps. And of course, there are some tough calls that require more knowledge, data, time, and money than showing up alone can solve.
But there are a whole bunch of things – important, cybersecurity things – that require little more than your ongoing attention. Things like…
- Consistent software updates
- Access removal for former employees
- Multi-factor authentication across the board
- Ensuring former vendors delete your data
- Regular cybersecurity training
None of these things are technically complex. Almost anyone in your organization can ensure they happen – provided they show up.
Regular Meetings Provide a Framework
Setting up a standard “meeting structure” within your organization is a proven way to keep things on track.
But not all meetings serve the same purpose, which means not everyone involved in your cybersecurity programs needs to be at every meeting. Here’s an easy way to think about it…
Weekly Meetings
These help build momentum for new initiatives. They also keep the topic top of mind and create short timelines for task completion.
In addition to a tech person, and because so much of cybersecurity is program-related (training, policies, audits, etc.), you’ll want some type of program or project manager; someone who knows how to run things.
But be careful about adding people for the sake of numbers. Too much overlap and people start assuming “someone else” is taking care of things.
Monthly Meetings
Cybersecurity touches all aspects of the organization. So while weekly meetings are not necessary for everyone, monthly meetings are a way of ensuring your cybersecurity program remains on track.
Here is where you might include an HR representative (e.g., to ensure access has been removed for off-boarded employees), or the head of your development team (e.g., to check in on your Secure Software Development Lifecycle [S-SDLC] progress).
Remember, just because you set up a cybersecurity program or procedure in the past, it doesn’t mean it is still happening. If you never check in with those involved, you’ll never know.
Quarterly Meetings
Once a quarter, you’ll want to share a well-polished presentation with your Executive Team – something that includes relevant data, a tightly-tuned message, and clearly laid out requests (share requests beforehand, so there are no surprises).
Executive support does not come with a “forever” stamp. So while you may only have this group’s attention for 30-45 minutes each quarter, you want them to continue believing your work is a worthwhile investment of company time and resources.
Don’t Forget the Agenda
As it happens, there are people who do not think cybersecurity is the most important thing on Earth (I know, I can’t believe it either). So there is always a risk some individuals won’t take things seriously or even avoid meetings entirely.
A detailed agenda, distributed prior to the meeting with names, tasks, and deadlines, will demonstrate that this is a real thing worthy of their attention. Show them you are not going to waste their time with something they are already not excited about.
The Meeting is the Message
There is a version of cybersecurity that involves firefighting, emergency patches, and 2 a.m. incident calls. Nobody wants that.
Fortunately, the alternative isn’t some impossibly sophisticated program. Instead, it’s a structure that makes “showing up” easy and consistent – for you, your team, and the executives whose ongoing support you need.
Fuzzy photos optional.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
