2020 – A Decent Proposal

In case you didn’t know, 2020 is a leap year. Unusual events give rise to unusual traditions, and 29^th February is no different.

Proposal to change your life

The most commonly known tradition is that women can ‘officially’ propose to men on the 29^th February, which led to the day being known as ‘Bachelors Day’.

If a man declined the proposal, he was expected to pay a financial penalty, and in some European countries, he was also required to buy the woman 12 pairs of gloves. The reason for this was presumably so that the woman could wear the gloves to hide her embarrassment of not having an engagement ring!

Thankfully times have changed, but I do like the idea of keeping some traditions alive.

A decent proposal to change your business

Given that we have an extra day in the year, I often ask people what they are going to do with this extra day? 

Perhaps making a proposal of marriage is the last thing on your mind, but how about making a proposal to change your security focus for the next 12 months, change the lives of your clients and change your business?

My proposal to you

You have been given 24 extra hours, 1,440 minutes extra minutes, or 86,400 seconds for you to do something different, so make them count.

Here’s what you could do in just a few hours, and either run an entire day of initiatives or events. But in just 24hrs (and less) you can improve your cybersecurity or data protection. Here are some ideas;

1. Conduct a Gap Analysis of your security. Focusing on People, Premises, Processes, PC’s and Providers – 3hrs
2. Run a Crisis Management Exercise to see how the Board would respond to an incident – 2hrs
3. Run competitions and quizzes related to cybersecurity, to raise awareness – 3hrs
4. Run a ‘Capture the flag’ exercise, where you pit your IT team against the business. Teams have to defend the data they process (HR vs IT, Finance vs IT) – Can your IT steal the flag?! – 4hrs
5. Conduct an ‘Asset Risk Workout’ – Each department identifies its data assets and who they share the information with, and how – 3hrs
6. Interview and record 12 videos with key people (Directors, clients, employees) asking just one question “Why is Data Protection important?”. These can be played throughout the year – 4hrs
7. Develop an audit plan for your next 12mths and decide who will audit what, and by when – 2hrs
8. Have a ‘Netflix and Learn’ lunch. E.g. watch “The Great Hack” with your team over lunch and get their thoughts on the film and what lessons you can all take from it – 3hrs
9. Create a communication plan for internal and external messaging, about cybersecurity and data protection –3hrs
10. Create a strategic roadmap with tactics and operational steps for the next 12 months and go through it with your Board – 4hrs

This is your ‘Starter for 10’.  Of course, you wouldn’t and couldn’t do all of these on the same day, but you could do 2 of them, or at least do 1.

A very decent proposal

Of all the above suggestions, perhaps the most decent and important is the last; Building a strategic roadmap for the next 12 months.

This should be written up into a proposal and presented to your Board so that you have their buy-in. Outline the following strategic steps;

• What you are looking to achieve (SMART Goals)
• How you will measure success
• What ‘Success’ looks like
• What resources you need (people and financial)
• What frameworks you will follow (ISO27001? Cyber Essentials? PCI DSS?)

Then think tactically;

• Which teams you need support from
• What policies and processes will need to be improved
• What departments and functions will be your initial focus

Then operationally;

• What methods you will use to gain support
• How you will conduct a Gap Analysis
• Who will be involved in the Risk Workshops
• Who is on your Security Review Team
• How you will conduct audits

This plan can be drawn up and presented to your leaders as a proposal, or you could present these questions to them and get THEM to come up with the answers with you.

Putting this kind of proposal to your business leaders isn’t just a decent idea; it’s an extremely important one.

You have the opportunity to change your business, and we all know that 24hrs can fly by so quickly. Why not grasp the next 24hrs and make a real difference to your business and to the lives of those who depend on you.

Of course, you could also take inspiration from the old tradition of buying 12 pairs of gloves.  However, this time it’s not to hide the embarrassment of not wearing a ring, it’s to cover the fact that Board has‘ blood on their hands’ and are ultimately to blame for any success or failure related to Cybersecurity and Data Protection.

Ultimately the Board are accountable for Security and Data Protection, and that’s something they should recognise 366(!) days of the year.