The days of siloed departments and disconnected projects are over, especially where security and threat management are concerned. Anindya Chatterjee, CISSP, CCSP, discusses some considerations for bridging the gaps between cybersecurity teams and organizational leadership to improve communications and understanding.
In today’s digital world, data security is no longer a closed door, isolated function. The security team no longer caters only to the immediate day-to-day organization and its supporting functions. The responsibility of a security professional have expanded beyond corporate boundaries to impact individuals outside the organization (customers, suppliers etc.) as well. Every human is touched by security in one way or another.
When we as security professionals say that a recipient needs to be verified first before a bank transfer or transaction can be made, people get it. When we state that clicking a link in an email without knowing its true destination is a risk, people get it. The reason for that is straightforward, most “not so techie” people know what a loss, scam or fraudulent transaction might bring to them. In short, they will lose their hard-earned money, their identity or even their privacy.
So, if the importance of security is so easy to understand then why is it so difficult to make organizations or leadership groups aware of the risk that a vulnerability might bring? Why is it so difficult to gain budgets for a new technology or even expand the team? How do we address the understanding and awareness gap between security teams and leadership?
To Narrow a Gap
With reference to the previous scenario, the problem lies with us security professionals as well as with the leaders.
Traditionally, information security teams have been perceived as the department of “no”. The function is perceived as a hinderance to business and not an enabler. This needs to change. If we are able to align the security strategy with the organizations wider strategy then things will accelerate in a good way. Security teams need to forge relationships with people in the organization who can speak the language of business in order to create or improve the perception of value from the security team. According to recent research, by 2028, 30% of a CISOs’ effectiveness will be directly measured on their ability to create value for the business. So, how do we create value?
This five-step approach will help every security team dealing with this challenge;
Define What Security Is
Most organizations have policies, processes and guidelines in place, but what is often missing is the vision statement. Have a vision statement defining “what is information security for the organization”, rather than focusing on random functions or technologies. It should be a short, crisp and simple to understand vision of the security function which aligns with the business vision and objectives. This will enable each and every individual in the leadership and the security team to understand the objective and then relate on how to achieve it as part of the bigger picture.
Return on Capital Invested
Every security activity needs to have a defined ROI. Financial numbers create a big impact with organization leaders If they see that investing in a product or tool enables them to reach the market faster or even provides them with a strategic advantage, delivers against their goals and also positions them ahead of competition. Leadership will definitely look at security as an investment rather than a cost centre.
Upgrade the Leadership, Thinking and Decision Making
The organization’s leaders are usually industry experts – although not necessarily cybersecurity experts. They know how to secure investment, how to position the organization etc. However, that Is not sufficient in the digital economy. This is because the digital economy relies on data, a huge and dynamic resource. Data and the threats to it change in a much faster way. To keep up with this in a fast-moving economy, leaders need to be made aware of how things work and their interdependencies. For instance, what impact a failure of a security measure might bring both financially and reputation wise. They need to be made aware of the capabilities of a given technology that is important to the organization. This will enable cross functional usage and also help move the organization forward.
Define the Risk the Business is Ready to Take
Every business, based on its present market positioning or the data it handles, has a risk appetite. Defining this will enable the security and business teams to select the right tools for the organization and prevent unnecessary spending which are within the appetite and focus on controls which will enable the business the grow and flourish.
Visualization
The information security world is full of keywords, phrases and terminologies that although very important to us hold no meaning for business leaders. If we use the same visualization of risk, impact and likelihood for our security peers and organization leadership, will the understanding be the same for both? The answer is no. It's important to have different levels and approaches for visualization for different teams. Security teams need to drill down on security states for applications, networks, controls etc. and take actions. On the other side, leaders may need to have a broader look at security posture of the organization, a comprehensive analysis against its competitions, along with industry and regulatory alignment.
These will enable leadership to know what the security teams are doing, how are they aligned and also what next to do. Thus bridging the gap.
Anindya Chatterjee, CISSP, CCSP, is a cybersecurity consultant with over 16 years of experience in consulting with IT, telecoms, financial services and insurance organizations.
- Our Cybersecurity Leaders Skill Builders courses tackle a number of key topics, including effective leadership. Find out more here