Moving Cybersecurity Into the Heart of the Business

Cybersecurity into business

By Jason Hart

We have reached a point where cybersecurity is now accepted as a business critical process,  and organisations are spending more than ever before. However, despite their continued technology investments, organisations are still getting breached – which means they are not getting the most out of their cybersecurity spending. 

Cybersecurity tech is often bought with the best intentions, but most organisations are not effectively using their multiple security solutions and, as a result, they don’t see an ROI. 

Ultimately, it comes back to an issue of there being a major disconnect in cybersecurity being at the heart of business operating plans. Cybersecurity is an organisation-wide problem and can no longer be the sole responsibility of the IT and/or cybersecurty team. 

When cybersecurity is integral to business operating plans, it can scale as the business grows. Only by decentralising cybersecurity can organisations truly turn it into a business process. So, how does an organisation go about decentralising its cybersecurity? 

Making security part of daily business operations 

The key issue is that many organisations do not measure their cybersecurity effectiveness. This means ensuring the security stack is correctly integrated into the rest of the business and surrounded by the right processes. When security effectiveness is not measured, businesses cannot tell if their investments are having an impact. 

From a business operations perspective, cybersecurity is still the “new kid on the block.” Only in recent years has the cyber threat landscape necessitated a fresh look at how security works toward broader business goals. 

As mentioned before, cybersecurity is an organisation-wide problem. It cannot be seen as a niche technical issue which is dealt with by a siloed department hidden away from the rest of the company. The sheer financial cost of a breach alone means that all within the business can no longer afford to ignore their responsibility. 

To solve the issue, accountability is needed. Everyone in the business — from the boardroom and the executive leadership, down to the most junior member of the team — has a role and responsibility in ensuring cybersecurity effectiveness. There should be a willingness from non-technical executives and other stakeholders to take accountability for cybersecurity and understand the processes and plans in place. CISOs must recognise how security fits into the rest of the enterprise and communicate it effectively. 

Ultimately, there should be clear communication and understanding between all parties. Without it, cybersecurity will never truly become a core business process and the organisation’s bottom line won’t reflect the related lift.

For businesses looking to stay updated on emerging threats and collaborate on intelligence sharing, adopting the stix/taxii standards can provide a structured and trusted method of exchanging cyber threat information.

Role of CISOs in simplifying technical jargon for stakeholders 

Effectively communicating cyber risk and putting it into a wider business context can be an extremely challenging task for CISOs. Most CISOs come from a technical background with limited skills in driving business and culture, which requires the ability to communicate across all levels and domains within the organisation . However, they need to evolve and upskill so that security conversations can move away from the alienating and technical, and evolve toward a more simplified approach that all stakeholders can better understand. 

CISOs need an honest conversation with themselves – they must recognise their role in bridging the gap between security and the rest of the enterprise. CISOs have the power to build a security plan that works toward business goal  effectiveness rather than one that just ticks boxes. 

It is no longer enough for CISOs to say, “we are secure because we have this certification or comply with regulations.” These statements do not mean that processes are effective and keep the company secure. 

Cybersecurity is a journey that must outline and show clear outcomes, impacts, and its role within the business’s environment and operations. Only in this way can all stakeholders understand security effectiveness and accountability, and ultimately make better decisions. 

Including the workforce in the cybersecurity journey 

Whilst CISOs are accountable for helping to move cybersecurity to the heart of the business and its processes, they can’t do it alone. Remember, cybersecurity isn’t just a journey for the security team but the entire organisation. 

For too long, organisational leaders have had an “assume” mentality when it comes to cybersecurity: assume that the organisation is secure, and assume that the CISO knows what’s going on regarding security. CISOs need support. 

Decentralising cybersecurity means implementing an operating model that works with the technology platform to clearly define all roles and responsibilities in securing the organisation. Cyber risks threaten the entire business; therefore, improving security must be a company-wide initiative. 

To reinforce this, there should be a top-down approach to help instil accountability and ingrain security into the culture of the business. Senior teams, including the board and executive leadership team, must be responsible for implementing a strong security culture and following proper security measures. 

Everyone in the business will be encouraged to think about cybersecurity if they have the right understanding and responsibilities. With more people on board, cybersecurity effectiveness will be much stronger. 

If clear metrics are implemented, an organisation can quantify the outcomes and effectiveness of the processes. This requires a set of KPIs which demonstrates ROI around security and allows the board and senior leadership to make more informed decisions. 

Businesses that only invest in newer technology need to realise that to achieve better ROI, they must also train their workforce to respond and react to potential attacks based on the data that is being provided by the technology. Organisations can only benefit from the full potential of security processes and achieve strong ROI when security is made available for everyone and is ingrained into daily operations to form part of the business process.

About the Author

Jason Hart

Jason Hart is a former ethical hacker with nearly 30 years’ experience in the information security industry, where he has used his knowledge and expertise to found cybersecurity start-ups, craft visions and strategies, disrupt markets, and evangelize the methods and merits of strong security posture management. Over the course of his career, Jason has held senior positions within a number of organizations, including Thales, Gemalto, and Ernst & Young’s Information Security Assurance and Advisory Services practice. He also founded and was CEO of WhiteHat Security UK as well as CRYPTOCard, where he created the world’s leading Cloud Based Authentication Platform.

LEAVE A REPLY

Please enter your comment!
Please enter your name here