Even in the smallest of organizations, a single person is not sufficient to properly perform all IT and cybersecurity related tasks. In business environments, cybersecurity is as much of a social responsibility as a technical one. Diverse perspectives and ideas need to be heard and blended to determine what the best course of action is regarding cybersecurity measures. Therefore, building a comprehensive cybersecurity team should be one of the first courses of action in an organization.

The goal of a cybersecurity team is to share perspectives and make decisions on what is best for company cybersecurity whilst also adhering to the key objectives and mission of the business. The team should meet on a basis that is deemed appropriate for the organization. Organizations with less than five employees and only a few systems may only need to meet on a bi-monthly basis, while organizations with ten or more employees and systems might want to meet monthly or even bi-weekly.

When building your organization’s cybersecurity team, ensure that you appoint individuals covering all areas of the organization where technology is present. You may want to include managerial personnel from each business department, as they will be well versed in the nuances of cybersecurity as it applies to their specific areas of operation. However, you shouldn’t limit the team to managers and administrators only. It could be very helpful to appoint one or two lower-level employees, as they are often the ones interacting with your organization’s digital technology on a daily basis.

You will also need to designate a single person as the “lead” of the cybersecurity team. In the context of a small business, this is likely to be you, the owner. However, it doesn’t have to be. If there is an individual in your organization that has advanced information technology knowledge and good communication skills, you could designate them as the lead if comfortable. The team lead is responsible for using data and insights regarding the organization’s cybersecurity to drive meeting discussions and keep them on track. Another individual on the team should serve as a scribe, keeping minutes for each meeting and summarizing them to team members for upcoming meetings.

Depending on the size of your organization, your team may consist of anywhere from three members to six members. It is important to ensure your team is not limited to internal employees. To keep the team aligned with business and industry standards and objectives, try to appoint any appropriate external contractors and consultants to the team. Many small businesses opt to outsource their Information Technology Management to a third party. A good cybersecurity team needs to have Subject Matter Experts (SMEs) present for it to function properly, so it would be appropriate to include third-party IT consultants if your business utilizes them. An accountant and/or financial advisor might also be appropriate to appoint, as they can give advice and recommendations on what is feasible regarding desired technology.

Once your team has been assembled, ensure that the set meeting schedule is followed and documentation is kept and properly stored. In the event of a major cybersecurity incident or crisis within your organization, it may be appropriate to call emergency meetings. Anything regarding company cybersecurity policies, operations, incidents, opinions, desires, and disagreements should be reviewed by the cybersecurity team. The team should also collaborate on drafting the company cybersecurity policies covered in this framework.

Example: A small Main Street café could assemble a cybersecurity team consisting of the business owner, the baristas running the Point-of-Sale systems, the outsourced accountant, and the outsourced IT technician. The baristas may have some concerns relating to the lack of physical security for the Point-of-Sale systems. The accountant might be concerned about the way documents containing sensitive information are transported from the café to the accounting firm. The IT technician could give insight into possible technical controls to remedy these issues. The business owner will be able to make executive decisions on the highlighted issues and review the financial feasibility of proposed controls.