Independent business risk study shows when security and the business are aligned around agreed-upon contextual data, they deliver demonstrable results. Here's how to get there.
Folks, cybersecurity is broken. Security leaders are drowning in data. We can tell you how many vulnerabilities there are. We can tell you how many patches we've deployed. We can recite chapter and verse on the latest threats. Yet, with all this information at our disposal, most of us struggle to answer the question “How secure, or at risk, are we?" with a high degree of confidence.
Why? Because we're missing one key piece of information: business context.
The typical equation we use to calculate an organization's level of security or risk is a function of assets, security controls, threats and vulnerabilities. Without business context — understanding which assets are most critical to the core value proposition of your business and which security controls are in effect for each of those assets — the results of any security risk calculations are incomplete, at best.
But security leaders can't arrive at an understanding of business context by working in a silo. It requires a level of strategic alignment between business and cybersecurity leaders that is lacking in most organizations. Indeed, a commissioned study conducted by Forrester Consulting on behalf of Tenable shows significant disconnect between business and security. According to the study, which is based on a survey of 416 security and 425 business executives, just 54% of security leaders and 42% of business executives say their cybersecurity strategies are completely or closely aligned with business goals. Less than half of security leaders surveyed say they consult business leaders with a high level of frequency when developing their cybersecurity strategy. Even worse, four out of 10 business executives rarely — if ever — consult with security leaders when developing their organizations' business strategies.
"The biggest challenge may be to make business owners get interested and understand that they should be the ones owning cybersecurity risks," said Jose Maria Labernia Salvador, head of IT security and internal control at LafargeHolcim IT EMEA in Madrid, in an interview with Tenable. “Cybersecurity is a business-related topic with a strong IT component. IT can support and guide, but business stakeholders and senior management are a core component in the equation."
The Forrester study shows that when business and security are aligned, they deliver demonstrable results. For example, business-aligned security leaders are:
- Prepared to report on security and risk. The business-aligned security leader is eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations' level of security or risk.
- Ready to show ROI on their security initiatives. The vast majority of business-aligned security leaders (85%) have metrics to track cybersecurity ROI and impact on business performance compared with just 25% of their more reactive and siloed peers.
- Equipped with a defined benchmarking process. Nearly nine out of 10 business-aligned security leaders (86%) have a process that clearly articulates expectations and demonstrates continuous process improvement relative to peer companies and/or internal groups. Only 32% of their non-aligned peers can say the same.
That's not to say responsibility for achieving alignment falls squarely on the shoulders of the security leader. Some organizations are culturally inclined to create silos. No matter how much effort you put into it, if you work for one of these organizations you may always struggle to align with your business counterparts.
If you're not sure where your organization falls on the alignment continuum, there's one quick way to tell: If you have an executive with the title of Business Information Security Officer then your organization falls on the more mature end of the alignment scale. According to the Forrester study, the vast majority of business-aligned organizations (80%) have a Business Information Security Officer (BISO) or similar title, compared with only 35% of their less-aligned counterparts.
How to become a business-aligned cybersecurity leader
If you're lucky enough to work for an organization where the business-cyber alignment is already relatively mature, then your path to becoming a business-aligned security leader will be fairly clear, even if it does require considerable effort to navigate. But if you happen to work for an organization on the lower end of the alignment-maturity scale, your journey will be far more challenging. Since there's no one-size-fits-all approach, I've tailored the following guidelines with three options, based on level of alignment maturity, in hopes that one of these options will present a starting place that works for you.
Five steps to improve alignment with your business stakeholders at each level of organizational maturity
Step | Least aligned | Moderately aligned | Highly aligned |
Step 1: Make sure you understand your organization's business objectives for the year. | You'll most likely need to do your own research, looking to public-facing documents, such as earnings forecasts and financial statements, to develop a reasonably clear picture of organizational priorities. | This step may require plugging into VP-level leadership calls, tuning into your organization's all-hands meetings and looking for other ways to assimilate with your business colleagues. | You already have — or will need to work on obtaining — a seat at weekly meetings held by your executive staff and you are regularly asked to present to the board. These activities give you exposure to key business objectives. |
Step 2: Consider how those business objectives shape technology decisions. | You may have to rely on connections with colleagues across the enterprise to help you develop a picture of your most critical systems and assets. In particular, pay attention to outages and incidents to sniff out areas that have perceived importance. | You may need to do some legwork by setting up calls with VPs or other line-of-business leaders to get up to speed on which systems matter most. | You can conduct a business impact assessment by surveying your key business executives to gain a clear understanding of which systems are most critical to the day-to-day running of your organization. |
Step 3: Work with business stakeholders to ensure your cybersecurity metrics incorporate business context. | You may have to resort to external sources, such as industry events, case studies or networking groups, to develop a bird's eye view of common business needs and key security metrics and make an educated guess about which ones work for your organization. | You may not have access to senior executives who can help you define the business context. You'll need to build connections with directors or line-of-business leaders and consult with industry peers to help you develop an understanding of which metrics make the most sense to your organization. | This step is as much about knowing the right questions to ask as it is about identifying a small number of metrics that are most meaningful for your enterprise. |
Step 4: Prioritize your cybersecurity processes based on the learnings you've gained from the above steps. | Begin by assessing the gaps in your process — such as a lack of asset criticality data — and develop a roadmap for how you'll fill each gap over time. | You can start to integrate asset criticality data with threat and vulnerability data to move toward a more risk-based approach. | Make use of automation and apply business risk management objectives to threat and vulnerability prioritization practices using a predictive approach. |
Step 5: Communicate using benchmarks that make sense to your business stakeholders. | Consider working with outside advisors to help you develop your business-savvy language skills. In the process, you will likely uplevel your business leaders' regard for assessing not only risk, but the business itself. | You may need to rely on your powers of observation; be mindful of the language your business colleagues use and tailor your communications accordingly. | Even in a highly aligned organization, the subjectivity of existing frameworks and the lack of industry consensus about key risk indicators can make this step a challenge. Still, if you've already got a high degree of organizational alignment, your C-level peers will likely welcome a candid conversation about what they need to know — and what you can omit — in your reports. |
Source: Tenable, September 2020
Regardless of where your organization falls on the alignment-maturity continuum, you'll do well to follow the advice of Kevin Kerr, CISO of Oak Ridge National Laboratory in Oak Ridge, TN. In an interview with Tenable, Kerr advised: "The CISO news to get out from behind their desk and walk around. Talk to people. Learn people's concerns and objectives at the various levels — bottom to top. Understand what's going on. Don't listen only to your IT people, because they're jaded from their IT point of view. Go see what's going on from the business point of view and listen." Of course, in the current COVID-19 pandemic you may have to perform such a walkabout virtually. But whether it's done face-to-face or via Zoom, the effort will benefit your organization and your career. "It gets your name around," said Kerr. “If people know you're there to help them figure out the best way to do what they want while still protecting the organization, they'll welcome your participation. I never want to be the 'no' in 'innovate.' "
Becoming a business-aligned cybersecurity leader is a marathon, not a sprint. It requires learning how to speak the languages of business and technology with equal fluency. But, as the Forrester study notes, “modern security threats require a new approach." The future belongs to the security leaders who are ready to manage cybersecurity as a business risk.
Previous blogs in this series focused on the challenges of aligning cybersecurity and business and why cybersecurity leaders struggle to answer the question “how secure, or at risk, are we?". We also examined what COVID-19 response strategies reveal about the business-cyber disconnect and considered why existing cybersecurity metrics fall short when CISOs need to communicate with executives and the board. In an upcoming post, we'll spend a day in the life of a business-aligned security leader.
Learn more:
- See additional study highlights here
- Download the full study, The Rise of the Business-Aligned Security Executive
- Read the blogs
- Download the white paper, What It Takes to Be a Business-Aligned Cybersecurity Leader
- Read the eBook, How to Become a Business-Aligned Security Leader
- Listen to the Cyber Exposure Podcast series, "Interview with Tenable CSO Bob Huber"
- View the webinar, The Rise of the Business-Aligned Security Executive