How to Become a Business-Aligned Security Leader

The bad news? There's a disconnect between business and cybersecurity. The good news? Aligning them can make all the difference.

If you've served as a CISO, CSO or other cybersecurity leader for any length of time, you've likely had a CEO, board member or other senior executive ask you “how secure are we?” on a fairly frequent basis. And you also know answering that question is not as easy as it might seem.

At a time when enterprise risks are rapidly shifting — enter pandemics, economic downturns and remote work — the cyberattacks and threats thriving around the globe not only amplify each risk, they have elevated cybersecurity to a topic of board-level scrutiny. Yet, those of us on the frontlines grapple with a host of challenges making it difficult to provide our business leaders with a clear picture of our organization's cybersecurity posture.

With an eye toward surfacing some of these key challenges and helping security leaders initiate a meaningful dialog with their business counterparts, Tenable commissioned Forrester Consulting to conduct an online survey of 416 security and 425 business executives and a study from the findings to examine cybersecurity strategies and practices at midsize to large enterprises. The resulting study, The Rise of the Business-Aligned Security Executive, reveals a disconnect between the expectations of the business and the realities facing security leaders. But it also reveals perhaps the single-biggest opportunity facing digital enterprises today — elevating the role of the CISO to equal stature as other executive roles.

The future belongs to the business-aligned cybersecurity leader

The study reveals four key themes:

1. Cybersecurity threats thrive amidst a climate of uncertainty, making it a topic worthy of board-level visibility. The vast majority of organizations (94%) have experienced a business-impacting* cyberattack or compromise within the past 12 months. Roughly two-thirds (65%) said these attacks involved operational technology (OT) assets.
2. Business leaders want a clear picture of their organizations' cybersecurity posture, but their security counterparts struggle to provide one. Just four out of 10 security leaders say they can answer the question, “How secure, or at risk, are we?” with a high level of confidence. A lack of consolidated data and associated business context contributes to the challenges facing cybersecurity decision-makers.
3. There is a disconnect in how businesses understand and manage cyber risk. Fewer than 50% of security leaders are framing the impact of cybersecurity threats within the context of a specific business risk. Only half of security leaders (51%) say their security organization works with business stakeholders to align cost, performance, and risk reduction objectives with business needs. Only four in 10 security leaders (43%) report they regularly review the security organization's performance metrics with business stakeholders.
4. Cybersecurity needs to evolve as a business strategy. This can't happen until security leaders have better visibility into their attack surface. Just over half of security leaders report that their security organization has a holistic understanding and assessment of the organization's entire attack surface and fewer than 50% of security organizations are using contextual threat metrics to measure their organizations' cyber risk. This means their ability to analyze cyber risks and prioritize and execute remediation based on business criticality and threat context is limited.

The study shows that when security and business leaders are aligned around agreed-upon business risk data, they deliver significant, demonstrable results. The business-aligned security leader is eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations' level of security or risk. Even more notable in today's economic climate, with a global economic downturn causing organizations to re-evaluate their spending: 85% of business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their more reactive and siloed peers.

As Dan Bowden, the CISO of Sentara Healthcare, noted in an interview with Tenable last year: “In the climate today, there's so much focus from society about companies doing better managing risk, every leadership team and every board in every organization wants to be part of the story of fixing the problem. If you can give them good data about exposure, which things do we really need to do, they understand the data, they can relate to the data. They want to be part of the story to help you solve the problem and manage risk better.”

“In the climate today, there's so much focus from society about companies doing better managing risk, every leadership team and every board in every organization wants to be part of the story of fixing the problem.” - Dan Bowden, CISO, Sentara Healthcare

In order to achieve alignment, CISOs and other security and risk management leaders need the right combination of technology, data, processes and people. For example, the vast majority of business-aligned organizations (80%) have a Business Information Security Officer (BISO) or similar title, compared with only 35% of their less-aligned counterparts. The study also reveals that business-aligned security leaders outpace their more reactive and siloed counterparts in automating key vulnerability assessment processes by margins of +49 to +66 percentage points.

In the following chapters, we explore these and other findings from the study and provide guidance on how Tenable can help your organization address the technology and data challenges behind this disconnect. In Chapter 1, we take a deeper dive into the many challenges security leaders face in answering the question, “How secure are we?” Chapter 2 takes a “ripped from the headlines” view of how organizations responded to COVID-19 to articulate how the business-cyber disconnect manifests in real life. In Chapter 3, we discuss how existing cybersecurity metrics fall short in giving CISOs and other security leaders the data they need to address business risk. And Chapter 4 and Chapter 5 discuss what a business-aligned cybersecurity practice looks like — and how you can get started building one in your organization — along with our tips and recommendations for transforming your own role into that of a business-aligned cybersecurity leader.

—Robert Huber, Chief Security Officer, Tenable *For the purpose of this study, “business-impacting” relates to a cyberattack or compromise that resulted in one or more of the following: a loss of customer, employee or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

How organizations can objectively measure cyber risk

By adopting best practices of Cyber Exposure management, organizations can more effectively reduce functional silos and introduce a common language for discussing risk — one that is understood by both the business and security teams. With Tenable, organizations are able to holistically assess, manage and ultimately reduce their cyber risk across the modern attack surface. Cyber Exposure provides the means for organizations to objectively measure their cyber risk — both internally and against industry peers — in order to help guide strategic decision-making and better align security initiatives with business objectives. Just as other functions have a system of record — such as information technology service management (ITSM) for IT and customer relationship management (CRM) for sales — Tenable can serve as a system of record to effectively manage and measure cyber risk as a business risk.

Learn More

Cybersecurity is seldom fully integrated into business strategy — and it needs to be.

Picture this: a headline-grabbing vulnerability has been disclosed. It's all over the news and social media. It involves software being used by nearly every business on the planet. The board is demanding answers and your C-level executives are running around with their hair on fire. Your CEO calls an emergency meeting. The first question she asks you is: “How secure, or at risk, are we?”

Are you prepared to answer?

If so, you're one of the lucky ones. The Forrester Consulting study, The Rise of The Business Aligned Security Executive, reveals only four out of 10 security leaders say they can answer the question, “How secure, or at risk, are we?” with a high level of confidence.

If you've spent more than a minute in cybersecurity, you know why answering this question is far more challenging than it might seem.

Sure, you can provide data about how many systems are affected and how quickly your team can remediate. But all this data isn't going to give your CEO the answers she is looking for. What she really wants to know is: Will our ability to deliver on our core business value be negatively impacted as a result of this vulnerability?

At the end of the day, your C-level executives are most likely not cybersecurity experts and they are most certainly not vulnerability experts. All they really want to know is: What impact does our cybersecurity practice have on the business of value creation?

The Consulting Forrester study reveals a disconnect in how businesses understand and manage cyber risk. For example, an alarming 66% of business leaders are — at most — only somewhat confident in their security team's ability to quantify their organization's level of risk or security. The study also reveals that:

• Fewer than 50% of security leaders are framing the impact of cybersecurity threats within the context of a specific business risk.
• Only half of security leaders (51%) say their security organization works with business stakeholders to align cost, performance and risk reduction objectives with business needs.
• Only 43% of security leaders report they regularly review the security organization's performance metrics with business stakeholders.
• Less than half of security leaders (47%) consult business executives with a high level of frequency when developing their cybersecurity strategy. On the flip side, four out of 10 business executives (42%) rarely — if ever — consult with security leaders when developing their organizations' business strategies.
• Just 54% of security leaders and 42% of business executives say their cybersecurity strategies are completely or closely aligned with business goals.

Understanding business context

Getting to the business context of cyber risk isn't easy, and the answers will differ from one organization to the next. In order to provide business context, security and risk management leaders must first be able to answer two key questions:

1. What is your organization's core reason for being? In manufacturing, the answer may be to make and sell widgets for profit. In healthcare, the answer may be to provide medical care to patients. In government, the answer may be to provide a service to the public, such as issuing driver's licenses or taking care of trash disposal.
2. Which of your IT assets are crucial to delivering on that core reason for being? For example, is there an ERP system or medical records app or database which, if taken offline, would cause your business operations to grind to a halt? Are there groups of users whose computers, if compromised, would expose key intellectual property or sensitive data that could prevent the organization from delivering on that core value? Is there a cloud environment which, if taken offline, could derail an important customer-facing web service, such as a banking or ecommerce site?

Existing asset management and configuration databases can only take you so far in answering these business questions. For starters, asset inventories and configuration management are fairly static operations. Most organizations are limited to conducting an annual risk assessment or business impact analysis on critical business functions. Such a static approach is hardly sufficient to capture the realities of the modern attack surface, which comprises a dynamic mix of on-premises and cloud-based IT, internet of things (IoT) and operational technology (OT).

Existing asset management and configuration databases can only take you so far in answering business questions.

For example, in most large organizations, cloud services are spun up and down every day on an as-needed basis. Computing assets are added and removed constantly as employees join or leave an organization. Applications and software are continuously implemented and upgraded as business needs change. And, in response to the COVID-19 pandemic, vast numbers of employees around the globe have shifted to a work-from-home model that is likely to set a new paradigm for how businesses operate. With today’s business moving at the pace of digital commerce, asset inventories are unable to keep pace. Security leaders are left to use the tools at their disposal to develop as comprehensive an understanding of asset criticality as possible.

Along with doing the work of identifying your critical business assets, you also have to be able to prioritize which of the tens of thousands of threats and vulnerabilities facing your organization each year actually pose the greatest risk to those core assets. Security leaders need to balance the threat from a vulnerability or attack method with the business impact of remediation or mitigation. Basically, you need to understand how exposed you are to the issue, how quickly you can address it using the robust processes in place and what effect it would have on your core business value to do nothing versus addressing the issue.

When the next headline vulnerability attracts the attention of your C-suite, will you be ready?

At the end of the day, your C-level executives are most likely not cybersecurity experts and they are most certainly not vulnerability experts. All they really want to know is: What impact does our cybersecurity practice have on the business of value creation? A business-aligned approach — in which you can confidently evaluate how many vulnerabilities are critical to the assets that have the greatest effect on your core areas of business — enables you to develop a clear answer to the question “how secure, or at risk, are we?”

Preparing to answer “are we at risk?”

As anyone in information security will tell you: ”You can't protect what you don't know you have.” Achieving a fundamental understanding of your cyber risk is difficult without a complete understanding of the assets in your environment. On top of that, if you don't understand the role each asset plays in supporting critical business functions, it'll be impossible to measure the impact of taking a system offline to patch a vulnerability, or to decide whether or not a particular system is even worth addressing. So, where should you start?

1. Understand your business environment. Work with your business partners to understand, identify and prioritize the services and applications that need protection. If everything is important, nothing is. Without this information, you can't discern which parts of the business might be impacted by an exploit and it will be nearly impossible to know who you need to work with should an issue arise.
2. Continuously assess all your assets. Most legacy scanners were built for traditional IT environments and aren't designed to detect vulnerabilities in the most dynamic aspects of the modern attack surface, including cloud, OT and container environments. You'll want to upgrade to a comprehensive solution that delivers active scanning, passive monitoring, agents, connectors and integrations to assess as much of your environment as possible - regardless of where assets reside, what environment they're in, whether or not they are within audit scope, or how frequently they're connected to the network.
3. Add business context by tagging assets with descriptive metadata. Use tags to identify business-critical assets. Tagging allows you to measure risk by business entity (what “job” do these assets support?) or by team (who do I need to work with to remediate potential issues?). With Tenable, you can tag assets both automatically (using rules) and manually.
4. Prioritize vulnerabilities based on risk and determine action. Along with the work of identifying your critical business assets, you also have to prioritize which threats and vulnerabilities facing your organization pose the greatest risk to those core assets. Security leaders need to balance the threat from a vulnerability or attack method with the business impact of remediation or mitigation. You need to predict which of the many thousands of new vulnerabilities that appear every year attackers are most likely to exploit, how exposed you are to those vulnerabilities, how quickly you can address them using the remediation processes you have in place and what effect it would have on your core business value to do nothing versus addressing the issue.

As organizations around the world raced to develop strategies to respond to the COVID-19 pandemic, it was clear that cybersecurity lacked a seat at the table.

It’s common knowledge that cybercriminals converge around big news events — whether a global crisis or a headline-grabbing vulnerability like WannaCry — in order to perpetrate malware and phishing scams. In 2020, no news grabbed headlines quite like the emergence of COVID-19, a virus-borne illness which sparked a global pandemic. The crisis caught many organizations off guard and highlighted how a lack of disaster response and business continuity preparedness, combined with misalignment amongst business and security leaders, put organizations at risk.

Although nearly all respondents in the Forrester Consulting commissioned study (96%) say their organizations have developed COVID-19 response strategies, the vast majority (75%) say that business and security efforts are only “somewhat” aligned, at best.

This is deeply concerning at a time when the sudden, widespread embrace of work-from-home models in response to the pandemic is unleashing a plethora of end-user devices upon corporate networks. Remote desktops, once a nice-to-have offering for a select group of workers, are now essential tools used by scores of employees to keep organizations running. Employees are suddenly connecting to core business systems and applications using their own previously untested — and potentially vulnerable — consumer routers and home networks. The popularity of internet-of-things (IoT) devices makes them potential threat vectors. The average home network could include an Amazon Alexa or other voice-activated tool, internet-connected TVs and video game devices, not to mention the assorted laptops, tablets and phones belonging to spouses, children or others in the household.

Roughly half of the cybersecurity leaders surveyed by Forrester Consulting (48%) say they have only moderate to no visibility into their remote, work-from-home employees.

The Brookings Institute estimates that, as of April 9, 2020, up to half of American workers were working from home, which it calls “a massive shift.” Indeed, a Pew Research study shows that, prior to the pandemic, only 7% of civilian workers in the United States — roughly 9.8 million of the nation’s approximately 140 million civilian workers — had access to a “flexible workplace” benefit or telework option.

And cybercriminals are swooping in to take advantage of the exponentially expanding attack surface. According to the Forrester study, as of mid-April 2020, four in 10 organizations (41%) had already experienced at least one business-impacting* cyberattack as a result of a COVID-19-related phishing or malware scheme. In fact, COVID-related scams were the No. 1 source of all business-impacting cyberattacks reported in the study. Although the World Health Organization had only declared COVID-19 a pandemic a few weeks earlier, by the time the survey was conducted COVID-related attacks had already outpaced other business-impacting attacks such as fraud (40%), data breach (37%), ransomware (36%) and software vulnerability (34%).

Cybersecurity leaders are understandably worried about these trends. Two out of three respondents to the Forrester survey (67%) say they are very or extremely concerned that the workforce changes necessitated by COVID-19 will increase their organization’s level of risk.

Making matters worse, roughly half of the cybersecurity leaders surveyed (48%) say they have only moderate to no visibility into their remote, work-from-home employees.

One of the key ways to bridge this disconnect is for organizations to bring cybersecurity into the fold when developing risk management strategies.

How risk management can help you become a business-aligned cybersecurity leader

CISOs, CSOs and other cybersecurity leaders are uniquely suited to taking on a bigger role in risk management and the related disciplines of business continuity, disaster recovery and crisis management. Your work puts you squarely at the intersection of technology and business. You have visibility into all of the systems, data and processes required to deliver on a business continuity and disaster recovery plan. Being involved in risk management can also make your job a little more manageable: If you can understand all of your critical processes and assets from a broad enterprise risk perspective, it will only make you stronger in cybersecurity as well.

There’s also a clear operational benefit to be gained from performing risk management exercises which can serve as a bridge between the business and the infosec sides of the organization. What is revealed in the process will help the entire organization understand how to best prioritize resources — both human and financial — to keep the business running even during a crisis.

If you can understand all of your critical processes and assets from a broad enterprise risk perspective, it will only make you stronger in cybersecurity as well.

At a time when organizations are facing a potentially lengthy period of economic uncertainty, it becomes more critical than ever to prioritize investments based on risk. The Forrester study shows that when security and the business are aligned, they deliver notable results. For example, 85% of business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just a quarter (25%) of their more reactive and siloed peers.

Getting involved in the development of your organization's Enterprise Risk Management (ERM) strategy will put you on the path to becoming a business-aligned cybersecurity leader.

These six steps will help with your initial enterprise risk identification and assessment:

1. Develop and distribute a risk assessment survey to key stakeholders. These are typically fielded to the senior director level and above and should include representatives from all of the major departments in your organization, including finance, legal, human resources, information technology, information security, sales, operations, marketing and R&D. Once your survey is complete, you'll want to organize the responses into risk categories so you can compile an inventory of enterprise risks.
2. Conduct research and analysis to compare your organization's enterprise risks to industry risk surveys.
3. Develop a risk assessment methodology, including probability and impact, to get a total risk rating.
4. Identify key leaders in your organization and devote time to interviewing them to get their feedback on risks and prioritization as well as risk probability and impact.
5. Present your risk assessment results to executives to finalize the top risks and assign executive risk owners.
6. Work with executive risk owners to identify mitigation activities for the top risks.

Performing the above steps is a painstaking exercise that yields a high degree of benefit by giving you a clear set of priorities. You’ll have an agreed-upon list of enterprise risks. While cybersecurity is likely to be its own standalone enterprise risk, it will certainly impact many, if not all of the enterprise risks in some form.

Couple the enterprise risk assessment with a business impact analysis — essential to business continuity and disaster recovery to determine which critical systems and business processes your organization can least afford to live without — and the two serve as the foundation for developing a business-aligned cybersecurity strategy. You’ll emerge with a list of your most critical enterprise risks and processes, making it equally possible to clearly prioritize responses in a time of crisis — regardless of whether the crisis results from a cyberattack, a natural disaster or a global pandemic — and when normal business operations resume.

In stable times, it’s all too easy for organizations to treat enterprise risk management as a mere check-box exercise best left to a segregated team of risk professionals. With COVID-19, business and technology leaders have found themselves enrolled in a crisis management crash course. It’s worth taking this moment as an opportunity to rethink your approach to enterprise risk so you’re better prepared for the down times and positioned to benefit when things are going well.

*For the purpose of this study, “business-impacting” relates to a cyberattack or compromise that resulted in one or more of the following: a loss of customer, employee or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

Managing your security posture during rapid change

It’s especially important during times of rapid change to understand how new business strategies can simultaneously expand your organization's attack surface and introduce new risks. As a security leader, you must be able to measure the impact of these changes on your security posture, while also communicating this information to your partners across the organization in terms they can understand.

To accomplish both these needs, Tenable has created the Cyber Exposure Score , a simple, objective rating that represents the intersection of your technical and business risk. CES is backed by data science and automatically updated daily through machine-learning algorithms that combine vulnerability data with other risk indicators such as threat intelligence and asset criticality. The score combines Tenable’s Vulnerability Priority Rating (VPR), which measures the likelihood of exploitability and its potential impact, along with our Asset Criticality Rating (ACR), which tracks the business value of each affected asset.

As the evolving threat landscape necessitates ongoing communication, Tenable also supports a continuous view of Cyber Exposure Trending, including visualizations that show improvements or declines over time, giving you and your business stakeholders insight into security program effectiveness. You can show the CES of your organization over the past six months and highlight seven-day changes to flag potential issues. Use this data to chart your progress over time, identify problem areas and allocate resources accordingly.

Even with a plethora of tools at their disposal, infosec leaders struggle to bridge the business-security disconnect.

How do you communicate the business risk context of your cybersecurity program to your organization’s C-level executives?

Security and risk management leaders have an arsenal of frameworks and controls at hand with which to measure the most granular facets of their programs. While such metrics are invaluable in helping to manage the day-to-day operations of security teams, they fall short when it comes to communicating with business leaders.

When you're interacting at the C-level or even at the audit committee level — which more often than not is the board entity responsible for security — executives want to understand what impact your cybersecurity program is having on the organization’s ability to fulfill its core value proposition. Yet, a global commissioned study of more than 800 business and cybersecurity leaders conducted by Forrester Consulting on behalf of Tenable reveals that 66% of business leaders are — at most — only somewhat confident in their security team’s ability to quantify their organization’s level of risk or security.

Current ways of measuring cyber risk don’t provide the business context organizations require.

This is not to suggest that security leaders are doing something wrong. Rather, it shines a clear spotlight on an unavoidable reality: Current ways of measuring cyber risk don’t provide the business context organizations require. Over half of security leaders surveyed lack confidence that they have the technology or processes to predict cybersecurity threats to their business while roughly two-fifths are unsure they have the data.

How do we calculate cyber risk?

Cyber risk is a function of your assets, security controls, threats and vulnerabilities at any given point in time. Without knowing which assets are most critical to your core business value, it’s impossible to arrive at an understanding of which cyber risks represent an actual threat to your business. Once you’ve determined your most critical assets, the next step is to understand which of the tens of thousands of threats and vulnerabilities facing your organization each year actually pose the greatest risk to those core assets.

The majority of security leaders polled by Forrester Consulting (56%) are not applying business risk management objectives to their vulnerability prioritization processes.

According to the Forrester study, fewer than 50% of security leaders are framing the impact of cybersecurity threats within the context of a specific business risk. The majority of security leaders polled (56%) are not applying business risk management objectives to their vulnerability prioritization processes. Only half (51%) say their organization works closely with business stakeholders to align cost, performance and risk-reduction objectives with business need. And just one in four report that they regularly review the security organization’s performance metrics with their business counterparts.

The study also reveals:

• More than half of security leaders (56%) say their organization lacks good visibility into the security of their most critical assets.
• Approximately 60% of respondents report high or complete visibility into risk assessments for on-premises employees, but only 52% can say the same when employees are remote or working from home.
• Just 51% report having high or complete visibility into systems used by contractors or partners and 55% report the same for their third-party vendors.

You can’t calculate cyber risk without business context

Two of the most common questions asked of security leaders by senior business leaders and the board are: “Are we secure?” and “How does our program compare to peers?”

But, unlike their business counterparts, security leaders have limited objective data upon which to build the cyber risk equation of assets, security controls, threats and vulnerabilities required to answer both questions. No existing framework captures the entirety of the infosec operation, leaving security leaders to cobble together a hodgepodge of measures. Without an objective measure of the business context for each of your assets, your cyber risk calculations can only take you so far.

Fewer than half of security leaders surveyed by Forrester Consulting consider the industry benchmarking frameworks they use to be very effective in accurately reporting on business risk.

Indeed, according to the Forrester study, fewer than half of security leaders consider the industry benchmarking frameworks they use to be very effective in accurately reporting on business risk. And more than half say they are not doing an adequate job benchmarking their security controls.

At the same time, there are so many variables involved in any organization’s attack surface that achieving industry-wide consensus on security metrics is likely to remain a holy grail for the foreseeable future. No organization can ever claim to be 100% secure. All any security leader has is their informed calculation of what’s considered an acceptable level of risk, which allows them to make business decisions about how far to go once they’ve addressed a reasonable level of exposure.

So, how can you work with what you have in order to begin bridging the disconnect between cybersecurity and the business?

Using the data you have to get to where you need to go

Risk is relative, not absolute. There will always be risk within the enterprise. The question is whether the organization’s leaders have reduced or increased risk by taking a particular business action. What the currently available security assessment options do is give you the ability to snap a chalk line, so you have a starting place from which you can begin to identify the work needed to further refine your security program.

There is no one-size-fits-all approach to identifying the key risk indicators that matter most to your organization. All security leaders can do, as industry professionals, is work together to begin formulating the kinds of business risk metrics that will be most meaningful to C-level business leaders.

To that end, Tenable CSO Robert Huber has provided the following list of real-world questions he has been asked by boards and C-level executives in the course of his career. Consider these examples as you prepare for your own meetings with your organization's senior leadership.

1. What and/or where are our most critical risks, functions, and assets?
2. What are you doing to protect them?
3. How mature is our program compared to the industry and our peers?
4. What is your roadmap to improve our maturity?
5. How is our security program resourced compared to competitors or peers in our industry sector?
6. Are our most business-critical functions more secure today than they were a year ago?
7. What are we doing about (insert latest headline-grabbing vulnerability here)?

Perhaps the above questions will spark your own ideas for other business risk indicators worth measuring so that, collectively, security leaders can find better ways to achieve alignment between cybersecurity and the business.

Introducing a common language for communicating your security strategy to business leaders and the board

Bridging the business-security gap is challenging. Security leaders need better ways of answering questions posed by their business peers. The Forrester study makes vivid the need for a tool that provides a clear, concise measurement of business risk that is actionable by business leaders, while also providing the breadth of functionality needed for security teams. That’s where Tenable Lumin comes into play.

• Calculate and communicate your cyber exposure
  Get an objective measure of cyber risk via the Cyber Exposure Score (CES), which combines vulnerability data with other risk indicators, such as threat intelligence and asset criticality. CES can be applied to any group of assets, from a single asset to all assets across the entire organization. Armed with this information you can prioritize your efforts to protect your most critical functions and assets and report on your progress.
• Track progress with ‘cyber exposure trending'
  Advanced visualizations help in understanding trend improvements over time as a measure of security program effectiveness. Track the CES of your organization over the past six months and highlight seven-day changes to flag potential issues. You can use this data to chart your progress over time, identify problem areas and allocate resources accordingly.
• Benchmark your maturity against industry peers
  Organizations can benchmark themselves against industry peers to quickly identify shortcomings and strengths. Benchmarks are available for a number of key metrics, such as CES and assessment maturity, providing a baseline by which to analyze and compare the effectiveness of your security operations  to others in your industry as well as overall averages.
  
• Analyze gaps and best practices across your organization
  Because CES can be applied to any group of assets, security teams are able to benchmark internal operational groups (e.g., business units, computing environments, branch locations) against one other. This analysis helps to focus attention and resources to address areas of high exposure and identify best practices across the organization. Asset groupings can be fully customized by leveraging existing tags, which allow you to filter and analyze segments of your organization.

When security and the business are aligned around agreed-upon contextual data, they deliver demonstrable results. Here’s how to get there.

Cybersecurity leaders are drowning in data. You know how many vulnerabilities there are. You know how many patches you’ve deployed. You can recite chapter and verse on the latest threats. Yet, with all this information at your disposal, you may still struggle to answer the question “How secure, or at risk, are we?” with a high degree of confidence.

Why? Because you’re missing one key piece of information: business context.

The typical equation used to calculate an organization's level of security or risk is a function of assets, security controls, threats and vulnerabilities. Without business context — understanding which assets are most critical to the core value proposition of your business and which security controls are in effect for each of those assets — the results of any security risk calculations are incomplete, at best.

But security leaders can’t arrive at an understanding of business context by working in a silo. It requires a level of strategic alignment between business and cybersecurity leaders that is lacking in most organizations. The commissioned Forrester Consulting study shows significant disconnect between business and security: Just 54% of security leaders and 42% of business executives surveyed say their cybersecurity strategies are completely or closely aligned with business goals. Less than half of security leaders surveyed say they consult business leaders with a high level of frequency when developing their cybersecurity strategy. Even worse, four out of 10 business executives rarely — if ever — consult with security leaders when developing their organizations’ business strategies.

Just 54% of security leaders and 42% of business executives surveyed by Forrester Consulting say their cybersecurity strategies are completely or closely aligned with business goals.

Yet, the study shows that when business and security are aligned, they deliver demonstrable results. For example, business-aligned security leaders are:

• Prepared to report on security and risk. The business-aligned security leader is eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations' level of security or risk.
• Ready to show ROI on their security initiatives. The vast majority of business-aligned security leaders (85%) have metrics to track cybersecurity ROI and impact on business performance compared with just 25% of their more reactive and siloed peers.
• Equipped with a defined benchmarking process. Nearly nine out of 10 business-aligned security leaders (86%) have a process that clearly articulates expectations and demonstrates continuous process improvement relative to peer companies and/or internal groups. Only 32% of their non-aligned peers can say the same.

That’s not to say responsibility for achieving alignment falls squarely on the shoulders of the security leader. Some organizations are culturally inclined to create silos. No matter how much effort you put into it, if you work for one of these organizations you may always struggle to align with your business counterparts.

If you’re not sure where your organization falls on the alignment continuum, there’s one quick way to tell: If you have an executive with the title of Business Information Security Officer then your organization falls on the more mature end of the alignment scale. According to the Forrester study, the vast majority of business-aligned organizations (80%) have a Business Information Security Officer (BISO) or similar title compared with only 35% of their less-aligned counterparts.

How to Become a Business-Aligned Cybersecurity Leader

If you’re lucky enough to work for an organization where the business-cyber alignment is already relatively mature, then your path to becoming a business-aligned security leader will be fairly clear, even if it does require considerable effort to navigate. But if you happen to work for an organization on the lower end of the alignment-maturity scale, your journey will be far more challenging. Since there’s no one-size-fits-all approach, the following guidelines offer options tailored to fit each of three broad levels of alignment maturity.

Five steps to improve alignment with your business stakeholders at each level of organizational maturity

Source: Tenable, August 2020.

Becoming a business-aligned cybersecurity leader is a marathon, not a sprint. It requires learning how to speak the languages of business and technology with equal fluency. But, as the Forrester study notes, “modern security threats require a new approach.” The future belongs to the security leaders who are ready to manage cybersecurity as a business risk.

The future belongs to cybersecurity leaders who can align their objectives with an understanding of business risk. Here are eight daily actions you can take to get there.

The previous chapters have explored how limitations in the technology, processes and data available to infosec leaders are compounding the chronic disconnect between cybersecurity and business. But the discussion would be incomplete without also considering the human factors that lie at the core of the disconnect.

CISOs and other cybersecurity leaders are unique participants in the executive suite. You have to be equally fluent in the languages of technology and business. Yet, unlike colleagues in finance or sales — who may hold master’s degrees in business or have other similar educational backgrounds — many cybersecurity leaders have technical backgrounds such as computer science. Infosec leaders typically rise up through the technical ranks of an organization. This puts you at an immediate disadvantage when you finally arrive at a senior managerial or C-level role.

CISOs and other cybersecurity leaders are unique participants in the executive suite. You have to be equally fluent in the languages of technology and business.

Technology is your first, native language. And the tools and processes you use are all based on the language of technology, giving you results you can clearly articulate in your native tongue. Most of you have learned to passably speak “business as a second language” but a disconnect remains, in part, because the tools and frameworks you need to do your job don’t lend themselves to easy translation.

It's all in a day's work

A SANS Institute paper from 2003 articulated the challenges, which remain current to this day: “[CISO] responsibilities are unlike any other in the C-suite, not even CIOs have this scope.” The SANS paper details the following as being among the most important responsibilities carried out by most CISOs:

• Act as the organization's representative with respect to inquiries from customers, partners, and the general public regarding the organization's security strategy.
• Act as the organization's representative when dealing with law enforcement agencies while pursuing the sources of network attacks and information theft by employees.
• Balance security needs with the organization's strategic business plan, identify risk factors, and determine solutions to both.
• Develop security policies and procedures that provide adequate business application protection without interfering with core business requirements.
• Plan and test responses to security breaches, including the possibility for discussion of the event with customers, partners, or the general public.
• Oversee the selection testing, deployment, and maintenance of security hardware and software products as well as outsourced arrangements.
• Oversee a staff of employees responsible for organization's security, ranging from network technicians managing firewall devices to security guards.

Given the sheer scope of the role, it can be difficult to figure out where to prioritize your time on a typical day. Most security executives would prefer to live in the technical comfort zone represented by the last three bullets above, spending their days planning for incidents and overseeing operations designed to minimize their likelihood.

But staying in your comfort zone is not making anyone safer. According to the commissioned Forrester Consulting study, 94% of organizations have experienced a cyberattack in the past 12 months that resulted in at least one of the following: a loss of customer, employee or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property. And the vast majority of respondents (77%) expect cyberattacks to increase in the next two years.

The study also finds that 66% of business leaders are — at most — only somewhat confident in their security team's ability to quantify their organization’s level of risk or security.

Becoming a business-aligned security leader: 8 steps

It’s clear that something needs to change. Security leaders need to find ways to improve alignment with the business. And that requires effort every single day. You need to be mindful of how you’re prioritizing your time to make sure you’ve structured your operations in a way that allows you ample time to focus on business alignment. Here are eight practices you can incorporate into your days that will set you on the path toward a business-aligned future:

1. Spend time each day reviewing your company's external-facing documents. Pay attention to what your organization's executives are communicating via financial statements, press releases, news articles, social media sites and industry forums.
2. Schedule time with line-of-business executives to develop an understanding of their day-to-day challenges and build rapport. Learn how their performance is measured. Help them to see security as an enabler of their business needs rather than an impediment. This way they'll be more likely to involve you earlier in their strategic plans.
3. Cultivate a working knowledge of the priorities and challenges facing organizations in your industry sector. Join trade associations or other professional organizations, read business-to-business articles in trade journals, attend webinars and other industry events. By doing so, you'll gain a working vocabulary and important perspectives to help you better align your security initiatives to your organization's unique business needs.
4. Schedule regular check-ins with your fellow C-suite executives and use the time to learn what keeps them up at night. It's only by understanding broader business pain points that you can begin to develop a holistic understanding of what “risk” really means to your organization.
5. Use quarterly business reviews as a prime learning opportunity. Listen closely to the strategic priorities and pain points articulated by your peers and consider the external business factors influencing them. Pay attention to how each executive demonstrates the return on their business investments and find ways to tailor your own security ROI metrics accordingly.
6. Build a network of trusted business advisors. Engage mentors from across the business spectrum to provide guidance and offer a sounding board to help you refine your communications to become more business-friendly.
7. Build relationships with the risk professionals in your organization. Cybersecurity is both a risk unto itself and a factor in all other business risk conversations. Find out how you can effectively participate in developing enterprise risk management strategies that keep cyber front-and-center.
8. Pay attention to the third-party relationships happening across the organization. You may have a working knowledge of key relationships, such as your payroll processing or enterprise resource planning vendors. But how much visibility do you have into the tools and platforms used by your web team or the service and support contractors who maintain and service your organization's operational technology?

Finding time for all of the above, in addition to effectively performing all the other aspects of your role, may seem like a daunting proposition. You won’t be able to do all of them all at once. Choose the one or two that resonate most for you, and start there. By making the active choice to break out of your technology comfort zone and become more business-aligned, you will not only benefit your organization, you will also enhance your career, setting yourself up to take that coveted “seat at the table” in driving business risk strategies.

Tools you can use to align with the business

Tenable gives you the tools to see everything, predict what matters, and act to address risk across your entire attack surface. Being able to clearly, concisely and authoritatively answer the essential question “How secure, or at risk, are we?” is central to getting through a “day in the life” of a business-aligned security leader.

See everything

See Everything Because the threat landscape is always changing, you need continuous in-depth assessment of your converged attack surface through a real-time dashboard that provides clear insight into where you are exposed. Tenable provides visibility into the tools and technologies that power modern business strategies — cloud, containers, infrastructure, operational technology (OT), web apps and much more. These are the very same tools that expand the organization's attack surface and introduce risk to the business. With Tenable, you’re able to assess the state of every asset, including vulnerabilities, misconfigurations and other indicators of health. Tenable active scanning, agents, passive monitoring and cloud connectors provide visibility and a continuous view of all your assets — both known and previously unknown. Tenable has the industry’s most extensive CVE and security configuration support to help you see and understand all of your exposures.

Predict what matters

Organizations are overwhelmed with vulnerabilities. While over 17,000 new vulnerabilities were announced in 2019, less than 7% had active exploits published. Identifying those most dangerous vulnerabilities before they are utilized in an attack is critical. With over two decades of experience, and machine learning algorithms drawn from a 5 petabyte data lake containing over 20 trillion continually assessed threat, vulnerability and asset data points, Tenable allows you to identify the vulnerabilities, critical assets and risks that matter most to your organization and the secure execution of your business strategies. Tenable’s predictive approach lets you prioritize your efforts based on existing as well as emerging threats and their potential impact to your business. As a result, you can focus on vulnerabilities that attackers are most likely to exploit and fix first what matters most.

Act to address risk

Reactive, siloed and tactical security strategies hinder security leaders’ ability to get a clear picture of their organizations’ cybersecurity health and the threats that pose the greatest business risk. This makes it difficult to take action and communicate effectively across teams and with business counterparts. Tenable provides metrics for measuring cyber risk and program maturity in order to improve organizational processes, address risks and communicate results with clarity and confidence. Aligning on these metrics provides a common language to manage the balance between the speed of business transformation and an appropriate security posture. Tenable’s exposure quantification and benchmarking allow you to compare your effectiveness over time across internal operations and against peers - metrics critical for budgeting, resource allocation and process improvements.

With Tenable, you’re able to easily identify areas of focus and optimize security investments. Visualizations of the entire attack surface allow anyone — from analyst to executive — to quickly understand, communicate and act to reduce your organization’s Cyber Exposure.