Sapsiwai - Fotolia
Security professionals face a host of critical threats: the unfolding repercussions of the SolarWinds nation-state attack, vulnerabilities exposed by an ongoing pandemic that has changed how people work, more sophisticated ransomware attacks and new questions surrounding federal and state security.
While it's hard to avoid getting inundated with cybersecurity firefighting, it's important for CISOs to stay focused on the big picture, which means managing the risks that pose the biggest threat to an organization's overall health. To do so, they must align cybersecurity to business goals. It's a tall order, but not an impossible one with the right approach.
The following three steps can help CISOs move cybersecurity and business alignment in the right direction.
Step 1. Understand C-suite concerns
CISOs often find themselves C-suite-adjacent, removed from critical C-level planning and business strategy input.
To ensure security efforts have a positive business impact, it's important CISOs understand each C-level leader's top business and security concerns, because they will differ among stakeholders. For example, the CEO might identify the integration of an upcoming acquisition as a top concern; the CFO might be worried about the unchecked cost of security controls; and the chief risk officer might care most about the availability of sales tools from any location.
C-level business goals likely will align to one of these areas of business risk:
- market trust
- availability and performance
- culture, policy and governance
- cost of controls
- data assurance
- security liability
Only through C-level discussions can CISOs prioritize which areas they should focus on to provide the most value to the business. Thinking and communicating in terms of business outcomes instead of security tactics can help CISOs align with the C-suite to get a complete picture of business goals.
Step 2. Connect security objectives to business requirements
Identifying executive priorities as they relate to security and the business isn't the same as putting them into action. To secure the funding to do so, CISOs need to align security objectives to business requirements, both quantitatively and qualitatively.
- Quantitative alignment. CISOs should pinpoint the risks and vulnerabilities, establish a baseline for security maturity and assess mitigation costs against industry benchmarks and best practices.
- Qualitative alignment. CISOs should gather critical information about assets and business risks, align executive requests to security objectives and establish a strategy for risk program management and operations.
This two-pronged approach requires CISOs to develop a risk register that identifies control area gaps and risks in the context of impact, effort and cost.
Rather than trying to close every gap, CISOs should first focus on controls that help the C-suite achieve its goals but also are easily executed by security teams.
Step 3. Focus on reducing versus eliminating risk
While each organization will have its own risk appetite, security spend and risk mitigation efficacy will intersect at some point. Beyond this juncture, you'll see diminishing returns on continued investment.
It's important for CISOs to understand and effectively communicate a core principle of cybersecurity to C-level stakeholders and the board of directors: No matter how much you spend on security, you can never completely eliminate risk.
Instead, organizations have four choices when it comes to addressing a particular risk: They can mitigate it, accept it, transfer it or ignore it. Deciding what action is best will depend on the level of investment and effort it takes to mitigate the risk and the degree to which a risk could disrupt the business if it goes unchecked.
CISOs who can accurately plot the meeting point of risk mitigation efficacy and security spend will be in a much better position to demonstrate cyber accountability and responsible spending to the C-suite and the board of directors, which can help the practice shed its outdated perception as a cost center.
The bottom line for CISOs
As cyber attacks grow in sophistication and scale, the business impact from a security incident is increasingly wide-reaching. In today's environment, a security threat is a business threat.
That's why it's critical that CISOs align cybersecurity to business goals. When they do, they can mitigate the risks that most stand in the way of organizational success and measure the true business impact of security investments. This puts them well on their way to building a cybersecurity program that doesn't just protect the business but grows it.
About the author
Mike McGlynn is vice president and general manager for global security at World Wide Technology, where he leads a team of senior security advisors and architects to drive security technologies and services sales across the company. Previously, he spent more than 25 years at the National Security Agency as a technical director, where he won numerous honorary awards, including the Presidential Rank Award for Meritorious Executive Service.