5 Steps for Becoming a Business-Aligned Cybersecurity Leader

Independent business risk study shows when security and the business are aligned around agreed-upon contextual data, they deliver demonstrable results. Here's how to get there.

Folks, cybersecurity is broken. Security leaders are drowning in data. We can tell you how many vulnerabilities there are. We can tell you how many patches we've deployed. We can recite chapter and verse on the latest threats. Yet, with all this information at our disposal, most of us struggle to answer the question “How secure, or at risk, are we?" with a high degree of confidence.

Why? Because we're missing one key piece of information: business context.

The typical equation we use to calculate an organization's level of security or risk is a function of  assets, security controls, threats and vulnerabilities. Without business context — understanding which assets are most critical to the core value proposition of your business and which security controls are in effect for each of those assets — the results of any security risk calculations are incomplete, at best.

But security leaders can't arrive at an understanding of business context by working in a silo. It requires a level of strategic alignment between business and cybersecurity leaders that is lacking in most organizations. Indeed, a commissioned study conducted by Forrester Consulting on behalf of Tenable shows significant disconnect between business and security. According to the study, which is based on a survey of 416 security and 425 business executives, just 54% of security leaders and 42% of business executives say their cybersecurity strategies are completely or closely aligned with business goals. Less than half of security leaders surveyed say they consult business leaders with a high level of frequency when developing their cybersecurity strategy. Even worse, four out of 10 business executives rarely — if ever — consult with security leaders when developing their organizations' business strategies.

"The biggest challenge may be to make business owners get interested and understand that they should be the ones owning cybersecurity risks," said Jose Maria Labernia Salvador, head of IT security and internal control at LafargeHolcim IT EMEA in Madrid, in an interview with Tenable. “Cybersecurity is a business-related topic with a strong IT component. IT can support and guide, but business stakeholders and senior management are a core component in the equation."

The Forrester study shows that when business and security are aligned, they deliver demonstrable results. For example, business-aligned security leaders are:

• Prepared to report on security and risk. The business-aligned security leader is eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations' level of security or risk.
• Ready to show ROI on their security initiatives. The vast majority of business-aligned security leaders (85%) have metrics to track cybersecurity ROI and impact on business performance compared with just 25% of their more reactive and siloed peers.
• Equipped with a defined benchmarking process. Nearly nine out of 10 business-aligned security leaders (86%) have a process that clearly articulates expectations and demonstrates continuous process improvement relative to peer companies and/or internal groups. Only 32% of their non-aligned peers can say the same.

That's not to say responsibility for achieving alignment falls squarely on the shoulders of the security leader. Some organizations are culturally inclined to create silos. No matter how much effort you put into it, if you work for one of these organizations you may always struggle to align with your business counterparts.

If you're not sure where your organization falls on the alignment continuum, there's one quick way to tell: If you have an executive with the title of Business Information Security Officer then your organization falls on the more mature end of the alignment scale. According to the Forrester study, the vast majority of business-aligned organizations (80%) have a Business Information Security Officer (BISO) or similar title, compared with only 35% of their less-aligned counterparts.

How to become a business-aligned cybersecurity leader

If you're lucky enough to work for an organization where the business-cyber alignment is already relatively mature, then your path to becoming a business-aligned security leader will be fairly clear, even if it does require considerable effort to navigate. But if you happen to work for an organization on the lower end of the alignment-maturity scale, your journey will be far more challenging. Since there's no one-size-fits-all approach, I've tailored the following guidelines with three options, based on level of alignment maturity, in hopes that one of these options will present a starting place that works for you.

Five steps to improve alignment with your business stakeholders at each level of organizational maturity

Source: Tenable, September 2020

Regardless of where your organization falls on the alignment-maturity continuum, you'll do well to follow the advice of Kevin Kerr, CISO of Oak Ridge National Laboratory in Oak Ridge, TN. In an interview with Tenable, Kerr advised:  "The CISO news to get out from behind their desk and walk around. Talk to people. Learn people's concerns and objectives at the various levels — bottom to top. Understand what's going on. Don't listen only to your IT people, because they're jaded from their IT point of view. Go see what's going on from the business point of view and listen." Of course, in the current COVID-19 pandemic you may have to perform such a walkabout virtually. But whether it's done face-to-face or via Zoom, the effort will benefit your organization and your career. "It gets your name around," said Kerr. “If people know you're there to help them figure out the best way to do what they want while still protecting the organization, they'll welcome your participation. I never want to be the 'no' in 'innovate.' "

Becoming a business-aligned cybersecurity leader is a marathon, not a sprint. It requires learning how to speak the languages of business and technology with equal fluency. But, as the Forrester study notes, “modern security threats require a new approach." The future belongs to the security leaders who are ready to manage cybersecurity as a business risk.

Read the blog series: How to Become a Business-Aligned Cybersecurity Leader

Blogs in this series focused on the challenges of aligning cybersecurity and business and why cybersecurity leaders struggle to answer the question "how secure, or at risk, are we?". We also examined what COVID-19 response strategies reveal about the business-cyber disconnect, discussed why existing cybersecurity metrics fall short when communicating cyber risk, explored five steps for achieving alignment with the business and provided a view into a day in the life of a business-aligned cybersecurity leader.

Learn more:

• See additional study highlights here
• Download the full study, The Rise of the Business-Aligned Security Executive
• Read the blogs
  • Aligning Cybersecurity and the Business: Nobody Said It Was Easy

  • Why Cybersecurity Leaders Struggle to Answer the Question ‘How Secure Are We?'
  • What COVID-19 Response Strategies Reveal About the Business-Cyber Disconnect
  • Communicating Business Risk: Why Existing Cybersecurity Metrics Fall Short
• Download the white paper, What It Takes to Be a Business-Aligned Cybersecurity Leader
• Read the eBook, How to Become a Business-Aligned Security Leader
• Listen to the Cyber Exposure Podcast series, "Interview with Tenable CSO Bob Huber"
• View the webinar, The Rise of the Business-Aligned Security Executive