Even in the smallest of organizations, a single person is not sufficient to properly perform all IT and cybersecurity-related tasks. In business environments, cybersecurity is as much of a social responsibility as a technical one. Diverse perspectives and ideas need to be heard and blended to determine what the best course of action is regarding cybersecurity measures. Therefore, one of the most important steps in implementing a comprehensive cybersecurity program is assembling a Steering Committee to oversee the implementation of the program's components.

The goal of a Steering Committee is to assemble an array of stakeholders to give perspectives and make decisions on what is best for the company's cybersecurity, whilst also adhering to the key business objectives. The committee should meet on a basis that is deemed appropriate for your organization. An organization with fewer than five employees and only a few systems may only need to meet on a bi-monthly basis, while an organization with ten or more employees and systems might want to meet monthly or even bi-weekly.

When building your organization’s Steering Committee, ensure that you appoint stakeholders traversing all areas where digital resources are used. You may want to include managerial personnel from each business department, as they will be well-versed in the nuances of cybersecurity as it applies to their specific areas of operation. However, you shouldn’t limit the committee to managers and administrators only. It could be very helpful to appoint one or two lower-level employees, as they are often the ones interacting with your organization’s digital technology daily. A key focus of assembling the committee should be to make it as democratic as possible so that cybersecurity best practices can be implemented and communicated in all areas of the organization, from the very top to the very bottom.

You will also need to designate a single person as the chair of the Steering Committee. In the context of a small business, it is likely to be you, the owner. However, it doesn’t have to be. If there is an individual in your organization who has advanced information technology knowledge and good communication skills, you could designate them as the chair if comfortable. The committee chair is responsible for using data and insights regarding the organization’s cybersecurity to drive meeting discussions and keep them on track. Another individual on the committee should serve as the scribe, keeping minutes for each meeting and summarizing them to committee members for upcoming meetings.

Depending on the size of your organization, your committee may consist of anywhere from three to six members. It is important to ensure that your team is not limited to internal employees. To keep the team aligned with business and industry standards and objectives, try to appoint any appropriate external contractors and consultants as well. Many small businesses opt to outsource their Information Technology Management to a third party. A good Steering Committee for cybersecurity needs to have Subject Matter Experts (SMEs) for it to function properly, so it would be appropriate to include third-party IT consultants if your business utilizes them. An accountant and/or financial advisor may also be appropriate to appoint, as they can give advice and recommendations on what is feasible regarding IT costs.

Once your Steering Committee has been assembled, ensure that the set meeting schedule is followed and documentation is kept and properly stored. In the event of a major cybersecurity incident or crisis within your organization, it may be appropriate to call emergency meetings. Anything regarding company cybersecurity policies, operations, incidents, opinions, desires, and disagreements should be reviewed by the Steering Committee. The committee should also collaborate on drafting the company's cybersecurity policies, which will be explained later in the framework.

Example: A small Main Street café could assemble a cybersecurity Steering Committee consisting of the business owner, the baristas running the Point-of-Sale systems, the outsourced accountant, and the outsourced IT technician. The baristas may have some concerns relating to the lack of physical security for the Point-of-Sale systems. The accountant might be concerned about the way documents containing sensitive information are transported from the café to the accounting firm. The IT technician could give insight into possible technical controls to remedy these issues. The business owner will be able to make executive decisions on the highlighted issues and review the financial feasibility of proposed controls.