Aligning Cybersecurity with Business Models

Matt Ireland

March 16, 2017 - Posted by Matt Ireland to Security Insight

IT Security Team

Does your organization face challenges with effectively aligning cybersecurity teams and business executives? In many organizations, it seems that business executives and cybersecurity teams don't always understand each other's roles. Executive leadership may not realize the cyber risks to their organization, such as APT threats, insider threats, espionage, phishing. Also, cybersecurity teams may not know what business systems are MOST important to protect before and during an incident. 

So how can you successfully align cybersecurity with the C-Suite, and keep the collaborative alignment effective? Before we answer that question, let's first talk about the challenges that have historically kept security and business executives out of alignment.

Strategic vision directly influences and impacts the success of implementation of cybersecurity controls. Cybersecurity MUST be positioned as a business enabler. And businesses must appropriately manage risk. 

Before we dig into risk mitigation, let's compare and contrast the challenges – both natural and fabricated – that often get in the way of recognizing the true value of engaging cybersecurity teams at the earliest strategic development stages of a new product and/or service. It seems that business leadership often perceives cybersecurity as the department of “NO!”. Those of us that have been in the security business for some time, are most likely to blame for this. It was too easy to say “NO!” when asked to make changes of a control, process, or other tactical change. If we didn’t understand the purpose of the request, we said “it's not secure”. If we haven't been hacked, it must be safe…If it is not broke – don't change it. This created a perception of cybersecurity being a business dis-abler. 

Business leaders are looking for ways to expand their business’ footprint, increase revenue, reduce overhead, and have the ability to change direction easily and quickly. This is where cybersecurity teams get scared. These strategic goals mean that change needs to occur, and that a CISO will inherit ownership of something that we have not seen or done before, or that may have been poorly designed, actually admitting to previous misconceptions of cybersecurity preparedness. And then there is the accountability factor for processes or practices that were designed for some other function and may not be fit for the newly defined application. The cybersecurity team feels that uninformed business people made a decision without consulting them first, and that causes us to be accountable for things that we had no say in.

We, as a community of cybersecurity professionals, cannot just say “NO!” and we cannot simply suggest expensive solutions to mitigate perceived threats that are not aligned with what the business needs. Example; we cannot demand $100M for new tools in exchange for increasing revenue by $1M. We must be able to understand the need, explain the challenges, offer alternatives, negotiate, and at the end of the day – ensure that risk is accepted at the correct level of leadership with the correct understanding.

Cybersecurity professionals can be known, by many C-level business leaders, as somewhat arrogant, unreasonable and immature individuals who lack business acumen and the ability to accept accountability. Cybersecurity professionals may be guilty of assuming that those same C-levels are unaware of risk or are willing to accept risks just to meet new business objectives – without our input.

My challenge, for each of you (business or cybersecurity leaders) is to LISTEN to each other to learn about each other's challenges. In my experience, once we leave our arrogance at the door, we will learn that both business and cybersecurity leaders are trying to accomplish the same thing – just from different perspective and with different approaches. Great cybersecurity leaders will also want to expand the business footprint, increase revenue, and reduce overhead – while managing risk. However, for anyone to listen and learn, you must take time to build relationships with your peers.  What are their strategic goals? What keeps them awake at night?  What is their 1, 3, 5, 10 year plans? What can you do in your 1 year plan to help your peer’s 3-year plan?

You see, in the past, cybersecurity teams were just trying to put out the fire of the day. And they got the job done and kept the lights on – but no one realized they were actually doing a great job. In all practicality, cybersecurity is actually a game of zeros. When you have zero breaches and zero outages, you create zero room at the big table, and the general perception is that all is fine with cybersecurity. That is until something happens – and in today's world – that something can be catastrophic.

So, we now have some understanding of the historically induced challenges that have kept cybersecurity and business executives out of alignment. So, what can be done to create alignment – and keep things aligned?

First, cybersecurity teams must have a seat at the board room table so that we can learn what the 10-year strategic plan is, and gain a true understanding as to the rationale behind short-term decisions. Then cybersecurity teams can share their views during early stages of strategic design which will assist in keeping all teams aligned in the right direction as a single team. It’s like playing the business version of Pin the Tail on the Donkey. After spinning around in circles, and it's determined that some aspect of the plan or member of the team is headed in the wrong direction, another member of the team can nudge them in the right direction. If the alignment between team members is a few months after they've been spun around, it shouldn’t be a surprise to find them so far away from the donkey that it will difficult to even get them back to the correct zip code. 

Second, cybersecurity teams need to be aware of their organization's business plans so they can become real strategic partners. As CISO, get to every facility and visit with every business stake holder and get to know who they are, what they do, what their challenges are, and what makes them successful. If you understand their needs and challenges, you can effect better controls. Remember, cybersecurity cannot be the department of “NO!”. If you make the controls too difficult and do not understand their impact on your organization's business plans, they will find ways to work around you.  

Lastly, the need for transparency is critical. Strategically align business and cybersecurity objectives. Collaborate on what your cybersecurity and business peers’ critical success factors are. Find appropriate metrics to ensure CSF/KPIs are collected and the analytics are available to your peers. Communicate hits and misses of these data points.  Remember the saying that the things that get measured get done. When you are transparent about your measurements they get done quicker. Experts suggest that if you want to lose weight – keep a log. Weigh yourself regularly, document it, and look at the trends.  When you see, trends start to go the wrong way, it's time to make adjustments. If you keep these logs public, you will be even more accountable. In other words, transparency wins!

Bonus thought! You will know you're headed in the right direction when you cannot perceive a difference between cybersecurity and business objectives. At this point, you’ve reached a level of alignment where your cybersecurity and business management are moving together to successfully accomplish more challenging and ever changing business priorities.

Read more on Solutionary Minds about:

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)