Today business leaders are rightfully concerned about mitigating their organization’s cyber risks. To address this concern, many businesses have begun to hire individfuals responsible for cybersecurity and even hiring Chief Information Security Officers (CISOs) to provide security leadership at the executive level. But unfortunately, old habits die hard. Instead of integrating the cybersecurity team or the CISO into both cybersecurity and business conversations, many of these security leaders have become siloed from broader business strategy and goals. Of course, this also leaves the executive team under-informed about the nature and scope of their organization’s cyber risk profile.
One of the main tenants of a new security principle, cyber resiliency, stresses the need to integrate approaches to security and business in order for either side to succeed. In fact, organizations should even stop thinking of business and security as two opposing side of an equation and instead learn to see and promote the integration of each with the other. However, this will require both security experts and businesses leaders to put in some work.
Business-Aligned Security Leaders
A recent report by Forrester found that just four out of ten security leaders can answer the question, “How secure/at risk are we?” and less than half frequently consult business leaders before developing security strategies. This, to put it lightly, is a big problem. If security leaders are just focused on implementing and maintaining technical controls, they end up missing the bigger picture of the risk culture that surrounds those controls. It is vitally important for security teams to understand an organization’s business-critical assets and work with leadership to develop a risk mitigation plan that prioritizes those assets.
Cybersecurity teams also need to be able to communicate their needs to business leadership. According to the Forrester report, more than half of security leaders lack adequate skills in benchmarking their security programs. In order to integrate cybersecurity and business needs, security teams need to develop benchmarking and risk reports that they can properly communicate to business executives. Taking a more business-oriented approach to security can also help security leaders advocate for the funds they need to reduce risk.
Cyber-Aligned Business Leaders
Of course, in order for security leaders to effectively integrate business strategy into overall cybersecurity goals, the business executives and board members need to regularly meet and communicate with their security team. To ensure this happens, it’s important for board members to assume ultimate responsibility for oversight of the organization’s security and to integrate cybersecurity discussions into the overall business strategy, risk management, and budgeting. It may even be a good idea to require cybersecurity training for all board members to ensure everyone has a proper understanding of the current threat landscape and regulations.
With a focus on outcomes, training, and a security team able to communicate benchmarks and risk reports, board members will be in a position to properly define the organization’s cyber risk tolerance that is consistent with business strategy and current cybersecurity controls. Board members and executives teams must ensure the organization’s risk appetite is communicated throughout all levels of the organization and that they create a culture that reflects the cybersecurity and business interests of the organization. Many of these recommendations are included in a white paper from the World Economic Forum that details 10 essential principles and tools for boards to better integrate cyber resiliency with overall business strategy.
Today, most organizations understand the importance of maintaining an effective cybersecurity program. However, not many businesses are recognizing the interdependence of cybersecurity and business interests. And it’s a two way street. Both cybersecurity leaders and business executive and board members need to be mindful about taking a more holistic approach to cybersecurity and business for either to be effective.