A Ponemon Institute report released late last year found that CISOs’ influence within companies is growing as IT security increasingly becomes a priority. However, interviews with senior-level IT security professionals at 184 companies in seven countries, including India and China, showed that security strategy in many organizations is still not yet aligned with business functions.
Amid evolving threat vectors, the influence of CISOs in managing their companies’ cybersecurity risks is growing in significance. This is evidenced by the 68% of respondents in the study that have the final say in all IT security spending while 64% have direct influence and authority over security expenditures in their organizations.
But despite their influence, security is only integrated with other business teams in 22% of the organizations, while in 45% of them, security function does not have clearly defined lines of responsibility. This has led to turf and silo issues that impede IT security tactics and strategies.
Need to talk
“It’s clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies,” said Mike Convertino, CISO at F5. “But in many organizations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks.”
For instance, recognition of security as a business priority in many organizations remains reactive. Only 51% of organizations have an IT security strategy. Even then, strategy is reviewed, approved and supported by other C-level executives in less than half of those organizations. Although material data breaches and cybersecurity exploits get attention from other senior executives, strategic discussions around security events are rare.
“Maybe one reason so many security programs aren’t aligned with the business is that, according to the same survey, only 16% of CISOs have a business background,” suggested Ray Pompon, principal threat researcher evangelist with F5 Labs.
After all, security is inherently not a standalone function, especially in protecting essential services that underpin digital transformation and business strategies. All stakeholders have to carry out the necessary risk assessments and due diligence to ensure strong basic cyber hygiene practices and to enhance cyber resilience. CISOs have to align security strategies with a range of areas ranging from regulatory compliance and incident response to information sharing and capability development.
Pompon urged CISOs struggling to align their security program with business objectives to first understand their organization’s business. To do this, CISOs must ask questions and do their homework – not only about their organization but also their industry sector. For example, there is a need to understand their organization’s raison d’être; who the customers are; and who its key partners are.
Armed with this knowledge, CISOs can then move on to determine how revenue flows into their organization; how it loses revenue; and the availability of cash reserves for rainy days.
From there, determine the assets to be protected; the functions to be kept available always; the systems and information that employees need to do their job; and the regulations that the organization must abide by. These and many more questions relating to organizational challenges, processes, technological use, competition, customer base, changing regulations, et cetera, will help CISOs to leverage business understanding to get buy-in on risk reduction programs.
Where the treasure is
“Remember that when a security incident occurs, it can have many different kinds of impacts: loss of customer confidence, reduction in sales advantage, regulator fines, operational overhead, and loss of competitive advantage due to breached trade secrets,” Pompon prompted. “Find the hot buttons and push them.”
One key approach to building trust with business heads is to develop the skill of empathetic listening. “You listen with the goal of understanding the other person’s point of view and acknowledging how they feel about the situation,” Pompon advised. “Listen carefully to their problems and then, once they’ve had their say, you can connect their jobs to the security mission.”
Yet, despite the deficiencies in security-business alignment, the Ponemon study has revealed good news. One bright spot is that 60% of respondents have aligned IT security operations with business objectives. Further, the majority of CISOs are influential in managing their companies’ cybersecurity risks, with 65% reporting to senior executives who are no more than three steps below the CEO on the organization chart. And if a serious security incident occurs, more than half of the CISOs have a direct channel to the CEO.
Even while CISOs continue to strive toward proactive business-aligned security strategies, progress is being made in today’s app-centric digital environment.