By Jason Hart
We have reached a point where cybersecurity is now accepted as a business critical process, and organisations are spending more than ever before. However, despite their continued technology investments, organisations are still getting breached – which means they are not getting the most out of their cybersecurity spending.
Cybersecurity tech is often bought with the best intentions, but most organisations are not effectively using their multiple security solutions and, as a result, they don’t see an ROI.
Ultimately, it comes back to an issue of there being a major disconnect in cybersecurity being at the heart of business operating plans. Cybersecurity is an organisation-wide problem and can no longer be the sole responsibility of the IT and/or cybersecurty team.
When cybersecurity is integral to business operating plans, it can scale as the business grows. Only by decentralising cybersecurity can organisations truly turn it into a business process. So, how does an organisation go about decentralising its cybersecurity?
Making security part of daily business operations
The key issue is that many organisations do not measure their cybersecurity effectiveness. This means ensuring the security stack is correctly integrated into the rest of the business and surrounded by the right processes. When security effectiveness is not measured, businesses cannot tell if their investments are having an impact.
From a business operations perspective, cybersecurity is still the “new kid on the block.” Only in recent years has the cyber threat landscape necessitated a fresh look at how security works toward broader business goals.
As mentioned before, cybersecurity is an organisation-wide problem. It cannot be seen as a niche technical issue which is dealt with by a siloed department hidden away from the rest of the company. The sheer financial cost of a breach alone means that all within the business can no longer afford to ignore their responsibility.
To solve the issue, accountability is needed. Everyone in the business — from the boardroom and the executive leadership, down to the most junior member of the team — has a role and responsibility in ensuring cybersecurity effectiveness. There should be a willingness from non-technical executives and other stakeholders to take accountability for cybersecurity and understand the processes and plans in place. CISOs must recognise how security fits into the rest of the enterprise and communicate it effectively.
Ultimately, there should be clear communication and understanding between all parties. Without it, cybersecurity will never truly become a core business process and the organisation’s bottom line won’t reflect the related lift.
For businesses looking to stay updated on emerging threats and collaborate on intelligence sharing, adopting the stix/taxii standards can provide a structured and trusted method of exchanging cyber threat information.
Role of CISOs in simplifying technical jargon for stakeholders
Effectively communicating cyber risk and putting it into a wider business context can be an extremely challenging task for CISOs. Most CISOs come from a technical background with limited skills in driving business and culture, which requires the ability to communicate across all levels and domains within the organisation . However, they need to evolve and upskill so that security conversations can move away from the alienating and technical, and evolve toward a more simplified approach that all stakeholders can better understand.
CISOs need an honest conversation with themselves – they must recognise their role in bridging the gap between security and the rest of the enterprise. CISOs have the power to build a security plan that works toward business goal effectiveness rather than one that just ticks boxes.
It is no longer enough for CISOs to say, “we are secure because we have this certification or comply with regulations.” These statements do not mean that processes are effective and keep the company secure.
Cybersecurity is a journey that must outline and show clear outcomes, impacts, and its role within the business’s environment and operations. Only in this way can all stakeholders understand security effectiveness and accountability, and ultimately make better decisions.
Including the workforce in the cybersecurity journey
Whilst CISOs are accountable for helping to move cybersecurity to the heart of the business and its processes, they can’t do it alone. Remember, cybersecurity isn’t just a journey for the security team but the entire organisation.
For too long, organisational leaders have had an “assume” mentality when it comes to cybersecurity: assume that the organisation is secure, and assume that the CISO knows what’s going on regarding security. CISOs need support.
Decentralising cybersecurity means implementing an operating model that works with the technology platform to clearly define all roles and responsibilities in securing the organisation. Cyber risks threaten the entire business; therefore, improving security must be a company-wide initiative.
To reinforce this, there should be a top-down approach to help instil accountability and ingrain security into the culture of the business. Senior teams, including the board and executive leadership team, must be responsible for implementing a strong security culture and following proper security measures.
Everyone in the business will be encouraged to think about cybersecurity if they have the right understanding and responsibilities. With more people on board, cybersecurity effectiveness will be much stronger.
If clear metrics are implemented, an organisation can quantify the outcomes and effectiveness of the processes. This requires a set of KPIs which demonstrates ROI around security and allows the board and senior leadership to make more informed decisions.
Businesses that only invest in newer technology need to realise that to achieve better ROI, they must also train their workforce to respond and react to potential attacks based on the data that is being provided by the technology. Organisations can only benefit from the full potential of security processes and achieve strong ROI when security is made available for everyone and is ingrained into daily operations to form part of the business process.
About the Author