Seven Practices of a Business-Aligned Security Leader
By: Adam Palmer
If one thing is certain in today’s business environment, it’s that cyber threats will continue to proliferate, exposing every organization in India to significant business risk. Many organizations continue to deal with the pandemic, economic slowdown and shift to remote work — each testing the resilience of a cybersecurity plan. According to a study by Forrester Consulting, 97% of organizations in India experienced a business-impacting cyberattack in the past 12 months. Unfortunately, these attacks had damaging effects, with organizations reporting identity theft (44%), financial loss or theft (38%), and ransomware payout (33%).
The reality is digital transformation has woven the threads of intellectual property and technology together. The modern CISO can no longer focus on just one thread; s/he must advocate for the security of both the technology and the business — evolving from a technology expert to a business-aligned security leader.
Importance of a business-aligned security leader
With cyberattacks having the ability to cripple not only the reputation but the bottom-line of an organization, it’s clear that cyber risk is a business risk. It’s a topic that demands the attention of business leaders and board members yet can easily get lost in translation if threats are not conveyed in business terms.
When an organization is under attack, business leaders want to know: Will our ability to deliver on our core business value be negatively impacted as a result of this threat? Unfortunately, many CISOs and security teams aren’t able to communicate cyber risk in business terms. There’s a stark disconnect in how business and security leaders understand and manage cyber risk. The good news is that CISOs are uniquely positioned to bridge this disconnect in seven ways and, in doing so, are able to evolve into a business-aligned CISO.
- Align with business goals: Cybersecurity needs to be intrinsically linked to business goals. Security leaders need to understand their organization’s core reason for existing. For example, in government, the answer would be to provide a service to the public. Only by understanding the organization’s business goals can security leaders develop cybersecurity strategies that are in lockstep.
- Gain a holistic view of attack surface and critical assets: CISOs and security teams must protect a dynamic and highly fragmented matrix of on-premises, cloud, and hybrid infrastructure, applications, data, mobile, IoT, IT, and OT systems — not to mention employees, contractors, and third-party partners. To be effective strategic partners to the business, security leaders must have a holistic understanding of their entire attack surface within the context of business risk.
- Demand resources to identify and reduce threats: Communicating business risk accurately to business leaders requires confidence in the tools needed to get the job done. Without the right technology, data and processes, security teams won’t be able to identify the risk level that cybersecurity threats pose to the business. The same Forrester study showed that more than six out of 10 business-aligned security leaders are highly confident they have the technology, processes, and data to accurately predict the likelihood of a cybersecurity threat impacting the business.
- Take a proactive approach to vulnerability management (VM): Malicious actors are continuously identifying new ways and opportunities to infiltrate businesses. Therefore, security leaders cannot afford to sit back and react to the next attack; they must shift their approaches from reactive to proactive. Business-aligned security leaders automate vulnerability management processes more frequently than their more siloed and reactive peers and are three times more likely to use a combination of asset criticality and vulnerability data to prioritize remediation efforts.
- Collaborate with business stakeholders: There is no one-size-fits-all approach to identifying the key risk indicators that matter most to your organization. Business-aligned security leaders are consistently working together to formulate the kinds of business risk metrics that will be most meaningful to C-level business leaders.
- Benchmark security performance: Benchmarking allows organizations to compare the effectiveness of their cybersecurity performance over time across internal operations and against peers. Business-aligned security leaders keep a report-card of their security practices and are continually evaluating the metrics critical for budgeting, resource allocation and process improvements.
- Demonstrate the value of investments: Few security organizations use threat metrics that speak to business risk. By cultivating and consuming cybersecurity metrics for both return on investment (ROI) and the impact on business performance, security leaders will be able to show added value. Business-aligned security leaders partner with the business to ensure close alignment on cost, performance, and risk reduction objectives.
Becoming a business-aligned cybersecurity leader is a marathon, not a sprint. It requires learning how to speak the languages of business and technology with equal fluency. But modern security threats require a new approach. The future belongs to the security leaders who are ready to manage cybersecurity as a business risk.
(The author is Chief Cybersecurity Strategist at Tenable and the views expressed in the article are his own)