How do you foster a collaborative dynamic when assessing another organization’s cybersecurity?

267 views4 Comments

CTO in Software, 11 - 50 employees
I made some great friends doing cybersecurity assessments. I can pick up a phone in a foreign country and never need to worry about a meal. It's amazing the way a community rallies around itself, but that comes with a certain level of diligence and discipline, where you're each able to demonstrate to the other that you're not there to make them feel bad. You're in the trenches with them, trying to do the same thing for the same team. You just have a better vantage because you’re the mercenary who has been out there, seeing the world as it is. That gives you the ability to make a more effective decision. 

Then you could even be asked to be a SANS instructor based on your community impact because you approach it with an agnostic view, and you're able to remove the ego from what you're trying to achieve. That allows you to assess the individual, team, or institution as a whole and say, "It's not about this one factor of the multi-factored Swiss watch of the customer security program. I don't care about that one cog. I care about the entire watch piece." That creates a different dynamic.

It used to be that when I would come in to perform a forensic assessment on an organization, the legal liability of that risk was identified as the “Joe factor” as we would witness factors that other tools left behind by using our methodology. People in those organizations thought, “If that person sees too much, he needs to go because he understands exactly what's broken. If we have to dismiss this individual, we are in trouble.” So there is a certain approach that you need to bring in as the outside party to bridge the gap between acting in the best interests of all involved.
Director Of Technology in Education, 51 - 200 employees
Collaboration is a 21st century skill.

To foster a collaborative dynamic when assessing another organization’s cybersecurity keep the discussion light and the documentation heavy.

Microsoft’s Office 365/Google’s G-Suite allow easy cloud-based collaboration across a variety of devices. Cloud providers such as Office 365/G-Suite can be securely used across organizations.

Prioritize asynchronous collaboration (as opposed to synchronous/real-time collaboration) to allow for individuals to interact and engage as their own speed.

Synchronous/real-time meetings (online or in-person) should be done in a diligent and organized manner with an agenda shared prior to the meeting.

Traditional business meetings are good for disseminating information not necessarily for creating on-going dynamic collaboration.
Senior Information Security Manager in Software, 501 - 1,000 employees
I found the best way to do it is over pizza. See

Of course, that does not always, no pun intended, scale well.

With that, if you can have a conversation with their security people, that can give you a lot of confidence (or worries) about how well they do information security.  Conversations are infinitely better than getting back an Excel spreadsheet.
Associate Vice President, Information Technology & CISO in Education, 1,001 - 5,000 employees
Nowadays the assessment of another organization's cybersecurity posture is a staple when doing business / entering into an agreement. We have to remember that above all, we do plan on entering into an agreement (whether we are doing the assessment as part of due diligence for a business client ask, or doing so for a service / solution that IT/cyber will use).

That said, these things take lots of time and effort, usually. Some organizations have streamlined the process and already have plenty of documentation to share with specifics that you're looking for. Others will have leveraged industry standard assessment tools (for example, I work in higher education and we use the HECVAT - higher education community vender assessment toolkit - as a means of completing our assessments) to streamline the process.

Where we see the collaboration needed is often the back and forth between cyber professionals to further understand the depths of the assessment. This is where fostering a collaborative approach can gain long-standing trust should things move in the right direction. I've often found that instead of being negative on some of the gaps (basically scoring negatively), if I'm in a position to coach the organization on areas of improvement, it goes a long way. There are some organizations that do not have cyber as their main competency, and therefore will not always shine in this area. Have some grace and patience, and help where you can. As long as they are willing to listen, take feedback, and improve this will likely be the start of a good relationship. Keep in mind you may be stuck with them for a few years, especially if the business has already made the decision to use them! So make the best of it and maintain good relations. It's often also an opportunity to be snatched away / hired by the organization that needs assistance lol.. as long as they pay better 🤷‍♂️

Good luck!

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
46.5k views133 Upvotes324 Comments