Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

5 Steps for Becoming a Business-Aligned Cybersecurity Leader

Independent business risk study shows when security and the business are aligned around agreed-upon contextual data, they deliver demonstrable results. Here's how to get there.

Folks, cybersecurity is broken. Security leaders are drowning in data. We can tell you how many vulnerabilities there are. We can tell you how many patches we've deployed. We can recite chapter and verse on the latest threats. Yet, with all this information at our disposal, most of us struggle to answer the question “How secure, or at risk, are we?" with a high degree of confidence.

Why? Because we're missing one key piece of information: business context.

The typical equation we use to calculate an organization's level of security or risk is a function of  assets, security controls, threats and vulnerabilities. Without business context — understanding which assets are most critical to the core value proposition of your business and which security controls are in effect for each of those assets — the results of any security risk calculations are incomplete, at best.

But security leaders can't arrive at an understanding of business context by working in a silo. It requires a level of strategic alignment between business and cybersecurity leaders that is lacking in most organizations. Indeed, a commissioned study conducted by Forrester Consulting on behalf of Tenable shows significant disconnect between business and security. According to the study, which is based on a survey of 416 security and 425 business executives, just 54% of security leaders and 42% of business executives say their cybersecurity strategies are completely or closely aligned with business goals. Less than half of security leaders surveyed say they consult business leaders with a high level of frequency when developing their cybersecurity strategy. Even worse, four out of 10 business executives rarely — if ever — consult with security leaders when developing their organizations' business strategies.

"The biggest challenge may be to make business owners get interested and understand that they should be the ones owning cybersecurity risks," said Jose Maria Labernia Salvador, head of IT security and internal control at LafargeHolcim IT EMEA in Madrid, in an interview with Tenable. “Cybersecurity is a business-related topic with a strong IT component. IT can support and guide, but business stakeholders and senior management are a core component in the equation."

The Forrester study shows that when business and security are aligned, they deliver demonstrable results. For example, business-aligned security leaders are:

  • Prepared to report on security and risk. The business-aligned security leader is eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations' level of security or risk.
  • Ready to show ROI on their security initiatives. The vast majority of business-aligned security leaders (85%) have metrics to track cybersecurity ROI and impact on business performance compared with just 25% of their more reactive and siloed peers.
  • Equipped with a defined benchmarking process. Nearly nine out of 10 business-aligned security leaders (86%) have a process that clearly articulates expectations and demonstrates continuous process improvement relative to peer companies and/or internal groups. Only 32% of their non-aligned peers can say the same.

That's not to say responsibility for achieving alignment falls squarely on the shoulders of the security leader. Some organizations are culturally inclined to create silos. No matter how much effort you put into it, if you work for one of these organizations you may always struggle to align with your business counterparts.

If you're not sure where your organization falls on the alignment continuum, there's one quick way to tell: If you have an executive with the title of Business Information Security Officer then your organization falls on the more mature end of the alignment scale. According to the Forrester study, the vast majority of business-aligned organizations (80%) have a Business Information Security Officer (BISO) or similar title, compared with only 35% of their less-aligned counterparts.

How to become a business-aligned cybersecurity leader

If you're lucky enough to work for an organization where the business-cyber alignment is already relatively mature, then your path to becoming a business-aligned security leader will be fairly clear, even if it does require considerable effort to navigate. But if you happen to work for an organization on the lower end of the alignment-maturity scale, your journey will be far more challenging. Since there's no one-size-fits-all approach, I've tailored the following guidelines with three options, based on level of alignment maturity, in hopes that one of these options will present a starting place that works for you.

Five steps to improve alignment with your business stakeholders at each level of organizational maturity

Step Least aligned Moderately aligned Highly aligned
Step 1: Make sure you understand your organization's business objectives for the year. You'll most likely need to do your own research, looking to public-facing documents, such as earnings forecasts and financial statements, to develop a reasonably clear picture of organizational priorities. This step may require plugging into VP-level leadership calls, tuning into your organization's all-hands meetings and looking for other ways to assimilate with your business colleagues. You already have — or will need to work on obtaining — a seat at weekly meetings held by your executive staff and you are regularly asked to present to the board. These activities give you exposure to key business objectives.
Step 2: Consider how those business objectives shape technology decisions. You may have to rely on connections with colleagues across the enterprise to help you develop a picture of your most critical systems and assets. In particular, pay attention to outages and incidents to sniff out areas that have perceived importance. You may need to do some legwork by setting up calls with VPs or other line-of-business leaders to get up to speed on which systems matter most. You can conduct a business impact assessment by surveying your key business executives to gain a clear understanding of which systems are most critical to the day-to-day running of your organization.
Step 3: Work with business stakeholders to ensure your cybersecurity metrics incorporate business context. You may have to resort to external sources, such as industry events, case studies or networking groups, to develop a bird's eye view of common business needs and key security metrics and make an educated guess about which ones work for your organization. You may not have access to senior executives who can help you define the business context. You'll need to build connections with directors or line-of-business leaders and consult with industry peers to help you develop an understanding of which metrics make the most sense to your organization. This step is as much about knowing the right questions to ask as it is about identifying a small number of metrics that are most meaningful for your enterprise.
Step 4: Prioritize your cybersecurity processes based on the learnings you've gained from the above steps. Begin by assessing the gaps in your process — such as a lack of asset criticality data — and develop a roadmap for how you'll fill each gap over time. You can start to integrate asset criticality data with threat and vulnerability data to move toward a more risk-based approach. Make use of automation and apply business risk management objectives to threat and vulnerability prioritization practices using a predictive approach.
Step 5: Communicate using benchmarks that make sense to your business stakeholders. Consider working with outside advisors to help you develop your business-savvy language skills. In the process, you will likely uplevel your business leaders' regard for assessing not only risk, but the business itself. You may need to rely on your powers of observation; be mindful of the language your business colleagues use and tailor your communications accordingly. Even in a highly aligned organization, the subjectivity of existing frameworks and the lack of industry consensus about key risk indicators can make this step a challenge. Still, if you've already got a high degree of organizational alignment, your C-level peers will likely welcome a candid conversation about what they need to know — and what you can omit — in your reports.

Source: Tenable, September 2020

Regardless of where your organization falls on the alignment-maturity continuum, you'll do well to follow the advice of Kevin Kerr, CISO of Oak Ridge National Laboratory in Oak Ridge, TN. In an interview with Tenable, Kerr advised:  "The CISO news to get out from behind their desk and walk around. Talk to people. Learn people's concerns and objectives at the various levels — bottom to top. Understand what's going on. Don't listen only to your IT people, because they're jaded from their IT point of view. Go see what's going on from the business point of view and listen." Of course, in the current COVID-19 pandemic you may have to perform such a walkabout virtually. But whether it's done face-to-face or via Zoom, the effort will benefit your organization and your career. "It gets your name around," said Kerr. “If people know you're there to help them figure out the best way to do what they want while still protecting the organization, they'll welcome your participation. I never want to be the 'no' in 'innovate.' "

Becoming a business-aligned cybersecurity leader is a marathon, not a sprint. It requires learning how to speak the languages of business and technology with equal fluency. But, as the Forrester study notes, “modern security threats require a new approach." The future belongs to the security leaders who are ready to manage cybersecurity as a business risk.

Previous blogs in this series focused on the challenges of aligning cybersecurity and business and why cybersecurity leaders struggle to answer the question “how secure, or at risk, are we?". We also examined what COVID-19 response strategies reveal about the business-cyber disconnect and considered why existing cybersecurity metrics fall short when CISOs need to communicate with executives and the board. In an upcoming post, we'll spend a day in the life of a business-aligned security leader.

Learn more:

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.