This framework has already provided guidance on defining the key technical assets in a small business. Just as important are the people who have a stake in the success or failure of the cybersecurity program. A stakeholder in this context is any person who has a key interest, responsibility, or influence on the organization’s cybersecurity program.
Just like you took an inventory of your company’s hardware and software, you should identify and document all of the human stakeholders. This way, you have a clear map of the people who contribute and are affected by the status of your organization’s cybersecurity. Having this documentation will also make developing future parts of the framework easier.
Stakeholders may include:
- Business Owner: This individual often has the greatest financial stake and the success of the business. In most small business scenarios, they also serve as the Chief Executive of the business. Therefore, the success of the business will reflect on them personally and can make or break their career and livelihood. In the event of a serious cyber incident or crisis, the owner could slip into serious financial, legal, and reputational peril. Therefore, it is the responsibility of the business owner to see that cybersecurity is made a priority from the start. If you are viewing this framework right now, it is likely that you yourself are a business owner, and good on you for taking the issue seriously.
- Management: Most small businesses do not have C-level management like in larger enterprises. However, many do have their own delegation of management. A small business may have an operations manager, floor manager, general manager, or any number of others, depending on the context and size of the business. Oftentimes, these managers will have certain cybersecurity responsibilities delegated to them. For example, a floor manager may be responsible for ensuring that cashiers follow security standards and guidelines when using Point of Sale systems for customer transactions. An operations manager may need to ensure that projects are performed in compliance with security best practices to prevent data loss or theft. A general manager might be tasked with upholding confidentiality and integrity when sharing financial data with vendors. Delegating cybersecurity roles and responsibilities is covered in more detail further on, but it is reasonable to assume that all managers will have some high-level cybersecurity responsibilities delegated to them. This puts their employment and the success of the company at stake.
- Employees: The employees as a whole are extremely relevant stakeholders as they are the ones who are using an organization’s information technology as a whole. Employees should be expected to follow any policies, procedures, guidelines, and standards set forth by upper-level management. More often than not, successful cyberattacks start by exploiting lower-level employees. Therefore, it is important that employees of all levels are educated on the importance of cybersecurity in their daily workflows and the effect noncompliance can have on their employment and reputation.
- Customers: The customers of any business are the ones placing trust in the business to provide a good or service to them in an acceptable way. They will go as far as to trust a business to properly handle and secure their personal financial information. In many cyberattacks, the customers are one of the parties that suffer the most. By trusting a business with poor cybersecurity practices, they could eventually see their personal information stolen by nefarious actors. Sometimes, a cyberattack penetrates a business through a customer. The customer may not even know that a web-based attack is using their account on an organization’s website to latch onto back-end resources and then further escalate their access. By clearly communicating with customers and being open about cybersecurity policies and controls put in place, a business can keep its relationship with customers healthy and eliminate major security risks.
- Vendors & Third Parties: Every small business is bound to employ at least a few third parties for any number of services. From ordering goods to installing technology, third parties can be extremely important to business success. However, much like customers, these third parties can create a security nightmare if not handled properly. Several high-profile cyberattacks, such as the 2013 Target breach, originated from attackers latching onto third-party technology and then exploiting their trust with another company to penetrate that company’s resources. Many small businesses share larger vendors only to discover that their personal business data has been compromised and leaked not via their own networks or systems, but through the vendor’s. This is why it is extremely important to choose third-party vendors carefully and ensure that they have acceptable security precautions of their own in place. Third-party responsibilities are very common in regard to cloud computing services. Many small businesses are trusting large cloud vendors with hosting their critical business resources, therefore shifting much of the burden of upholding the CIA Triad to the vendor. Not only do these vendors now have huge potential to make or break a small business, but they can see their own reputation destroyed by poor management of an organization’s resources.
You can use the template provided below to start documenting the stakeholders in your organization. This does not have to be a one-and-done task; you can refine it over time, especially after completing the section on defining Cybersecurity Roles & Responsibilities. However, it is important to keep the document updated and relevant to get as wide of a view of your cybersecurity surface as possible.