By Adam Palmer, Chief Cybersecurity Strategist, Tenable
Cyber risk is not a concern managed by the Chief Information Security Officer (CISO) alone; it’s increasingly becoming a board-level issue. Security leaders are called upon to keep business leaders and board directors informed of the risk posture of their organization. However, many security leaders struggle to provide a clear picture of their cybersecurity posture, let alone convey this information in an understandable manner. Imagine this – a new vulnerability has been disclosed and your CEO wants to know what effect it will have on the core business. Would you, the CISO, have an answer and inspire confidence that the situation is under control?
A study by Forrester Consulting conducted on behalf of Tenable reveals that only four out of ten security leaders in India can answer the question, “How secure or at risk are we?” with a high degree of confidence. In today’s unpredictable economic climate where change is the only constant, a CISO grapples with many challenges. As an example, looking at the global pandemic, the remote-work environment has become the new normal introducing a new element of risk. Preparing for this shift can be challenging for security teams. The complexity is further compounded by the fact that organizations today operate in a digitally complex global economy. Nearly every industry sector and business model in the world relies on technology.
This reliance means cyber risk now equates to business risk. It also means that the modern CISO can no longer focus on just traditional IT security issues. The CISO must advocate for the security of both technology and business, evolving from a technology expert to that of a business-aligned security leader. A CISO has to transition from tech speak to business speak. These are three methods to establish closer alignment between security and business
Align cybersecurity strategy with business goals
The Forrester study found that just 54% of security leaders and 42% of business executives say their cybersecurity strategies are completely or closely aligned with business goals. Unfortunately, less than half of security leaders consult business executives all the time or very frequently when developing their cybersecurity strategy. At the same time, the reverse is also true. Only four out of 10 business executives rarely – if ever– consult with security leaders when developing their organization’s business strategies.
This clearly shows that the communication gap lies on both sides of the fence. CISOs and business executives need to be aligned to defend against cyber risk. Cybersecurity priorities need to evolve as a business strategy and the role of the CISO will then be elevated as a strategic leader.
Quantify cyber risk in business terms
A whopping 66% of business leaders globally, including those in India, are only somewhat or not confident at all in their security team’s ability to quantify risk. Getting to the business context of cyber risk can be challenging especially since there are no black and white answers.
In order to provide business context, security and risk management leaders must first be able to answer two key questions: What is the organization’s core business purpose? And, which assets are crucial in delivering on that core purpose?Along with doing the work of identifying your critical business assets, you also have to be able to prioritize which of the thousands of threats and vulnerabilities facing your organization each year actually pose the greatest risk to your core assets.
Visibility of the organization’s attack surface
To be effective strategic partners to the business, security leaders must have a holistic understanding of their entire attack surfaces within the context of business risk. Without visibility, cybersecurity cannot evolve as a business strategy. This is easier said than done because an enterprise’s modern attack surface is a highly complex and fragmented matrix of on-premises, cloud, IT, Internet of Things (IoT) and operational technology (OT).
In the Forrester study, just over half of security leaders report that their security organization has a holistic understanding and assessment of the organization’s entire attack surface. Fewer than 50% of security organizations are using contextual threat metrics to measure their organizations’ cyber risk. This means their ability to analyze cyber risks and prioritize and execute remediation based on business criticality and threat context is limited.
As organizations in India continue to invest in cybersecurity, it’s important to emphasize the importance of strategic alignment between security and business leaders.