I offered 5 questions to ask before a breach happens almost two years ago. Since then I’ve shifted from the dreary “assume breach” to the leadership-focused “anticipate breach.” And while these are still solid questions to ask, I found one is the starting point.
Most of the security leaders I’ve worked with lately share similar concerns. We face mounting pressure to prevent breaches. At the same time, we feel understaffed and under resourced.
Overwhelmed, we struggle for alignment. We’re searching for clarity of focus, priority of effort, and the confidence to act. To take the best next step to protect what matters and avoid missteps.
That means a lot of misplaced attention on preventing a breach. An approach akin to playing to NOT lose.
It’s clear we need a different approach. A way to bring people together. To make sure we're building the security we need.
I recently worked with a colleague to build a half-day workshop for non-technical leaders. Executives and directors interested in security, but not sure where to start. We focused on core questions they needed to get comfortable asking... and answering.
In the process, I realized it all starts with a single question:
What happens when breach happens?
Embrace the power of questions (without knowing the answer)
Questions shape thinking. They allow us to learn from others. When used in an open and consistent way, it gives us a method to test options.
The right questions asked the right way let us make better decisions.
The key is embracing questions as a process. It’s not cut and paste. It’s an open ended start to a dialogue. Accept that you might not have the answer when you start.
You don’t need the answer when you start.
The goal is working with others to find the right answer in your context.
Getting the dialogue started
Choose dialogue over discussion. Dialogue is a process to develop mutual understanding. Discussion is a form of debate. The goal of debate is to be right and win.
The key to lasting security success is to realize it’s not about winning and losing. We’re playing an ‘infinite game' with no finish line. Success is when people around us are better today than they were yesterday.
The more we know about the people around us, the more capable we are to elevate their situation.
When you ask “what happens when a breach happens” - it’s an opportunity to learn.
When asked, focus on how the system or process in focus works. How it actually works. Don't worry about security right away. Explore challenges and opportunities. Find out what caused problems in the past (and why). Talk about their concerns and figure out how you can help them.
Find out what's actually important. Protect that.
Sometimes the person or audience you ask might wonder why you’re asking. They’ll play cautious and look for your angle. Often they offer, “nothing.” Chances are "nothing" is not accurate.
But it might not be wrong. Let the dialogue sort the nuance.
This is a chance to learn instead of lecture. No need to argue. Seek instead to understand. They might already have a sense of what matters. While the language might be different, they might know what needs protection.
Most people have not considered what happens after a breach happens. All our focus is on preventing the breach.
Now that you asked, it's a chance to work together to figure it out. That leads to more questions. Check out the slide show Are you ready to anticipate breach? for more questions and ideas.
The key outcome in the process is understanding what is actually important. It’s the chance to gain alignment between security and the balance of the organization.
Lead the path to better security with questions
Asked in an open and transparent way, “what happens when a breach happens?” is a powerful way to improve how security protects the business.
There is no set path.
The key is using this question as a powerful opening. Invite and get people involved protecting systems and information.
Engage in the dialogue to see where it leads. Along the way you’ll figure out where to best focus assets and efforts to create the most value.