For almost two weeks nothing went in the Anhalt-Bitterfeld district. No e-mail program worked, no benefits could be paid out, not even the phones went. Encryption software, so-called ransomware, prevented access to systems and data. In the same month, such an attack hit several companies around the world, in Sweden an entire supermarket chain had to close its stores because the cash register systems no longer worked, in Germany the food chain Tegut was affected.
According to Bitkom, this amounts to the total damage caused by such attacks last year in Germany amounted to 223 billion euros. And these are only the documented cases, the number of unreported cases is likely to be much higher. While large companies and corporations are already investing a lot of resources in the security of their systems, small and medium-sized companies in particular have a lot of catching up to do. Hacker groups have long since recognized this and are targeting them. Because all too often only one person or a small group is responsible for the cybersecurity of these companies, which in turn acts separately from other departments. And this is exactly where the problem lies: although security is essential, it is too often viewed separately from the overall strategy. Because in the end, it’s not just about the best firewall or the best defense system. Rather, it is about creating awareness for the everyday threat, the corresponding precautions and options for action throughout the company.
Often companies can work in With regard to cybersecurity, only react, i.e. intervene, if gaps become apparent or an emergency occurs. For teams and employees in the field of cybersecurity, it is a great challenge to adequately protect the increasingly complex application landscape. They are rarely closely interlinked with the corporate strategy and as a result cannot actively control cybersecurity, but mostly only reactively.
OKR – split of destinations
To get active, it is worth taking a look at the Method box: Working with OKR, short for Objectives and Key Results, is a way of getting closer to the topic and breaking down the cybersecurity monster into individual, comprehensible and feasible building blocks. OKR give organizations the opportunity to react very flexibly to situations. Instead of laying out strategy cycles over years, this method allows the individual cycles to be laid out over three or even one month without losing sight of the general goal, the objective. On the contrary: the individual steps make the big goal easier to digest. Tasks are sensibly divided within teams, transparency is increased and greater commitment is also ensured. In this way, the method promotes innovations and also the acceptance of measures within the team. It can also help to close the gap between management and team level, as it promotes exchange as a whole. In a weekly rhythm, goals are tracked and hurdles are discussed so that readjustments can be made in case of doubt. The entire team knows the most important issues and focuses on achieving the goals. The close-knit control and regular reflection of the goals in the process creates the possibility of reacting to changing framework conditions and making adjustments at short notice. OKR can also be used to check and measure which measures are successful and which are not.
With regard to a company’s security strategy The same applies to the OKR method: Instead of continuing to work in silos and thus allowing the individual teams and departments to run in parallel, OKR offer the opportunity to close these gaps and to significantly modify the control of the entire safety apparatus. The targeted nature of the measures improves cybersecurity in the long term.
Responsibility instead of micromanagement
But where do you start? The first step must first be to find out where the company stands on the basis of a maturity check – for example with the assessment tool for the minimum ICT standard of the Swiss Federal Office for National Economic Supply. A distinction is made between different levels of maturity, which relate to how far the company is in achieving the respective security levels. The different degrees of maturity, in turn, can be broken down into key results, which at the end of the day contribute to an annual objective. So if an organization determines that it is currently at maturity level 2, an objective can be to achieve maturity level 3 by a certain point in time. The next step is then to define the specific activities that are necessary to achieve the goal. This is how the key results are created.
This method is particularly suitable in self-organized teams. Managers have the opportunity to fully involve their teams in all processes and at the same time retain control. Micromanagement is therefore out of place with this method. Rather, it is about giving the individual team members responsibility for their respective tasks and, as a manager, being the connection to the other teams in the company and identifying the problems and challenges that prevent the team from achieving the goals.
But especially with the OKR method, caution is required: Organizations are all too happy to use this tool without it making sense. If, for example, standard tasks are translated into OKR all at once, pure performance management and the tracking of individual services are quickly carried out. There is also the risk of high complexity due to too many individual and diversified subject areas.
But when it comes to coordinating decentralized teams, people and to bring together knowledge and to set up a fluid security process, then OKR can be the right method. Because prevention, reaction and evaluation are elementary for cybersecurity and that in turn for the security of the company itself.