Cybersecurity is an arms race of innovation. Cybercriminal gangs continually discover new and more inventive ways to breach their victims' defenses while the security industry toils to find ground-breaking ways to detect and block the attacks.
Yet despite investing in the most recent innovative technology and services, firms still fall victim to incoming threats.
In most cases, the issue is not about ideas or intentions but how security is executed and operationalized. Even when an enterprise has invested in all the right tech, it will not make much difference if the business has not invested in security effectiveness. This means ensuring the security stack is correctly integrated into the rest of the business and underpinned by the right processes and operating model.
Solving this issue requires a decentralized approach to security so that cyber risk is owned and understood by all stakeholders, executives and employees—not just the CISO and their security team.
The Critical Barriers To Cybersecurity Effectiveness
Many firms are still not measuring their security effectiveness, which means they cannot tell if their investments are having an impact. This stems from security's status as the "new kid on the block." While it has become an increasingly critical business priority and has earned a place at the boardroom table, security isn't always linked to broader business goals in the same way areas like finance and sales are.
This disconnect was less of an issue when cyber could more comfortably be considered a niche technical issue, a siloed department away from the rest of the enterprise. But today, security is a responsibility of the entire organization. The fact that the average cost of a breach now exceeds $4 million means few organizations can afford to ignore their cyber responsibilities.
Tackling this significant business risk demands a shift in mindset throughout the organization, particularly at the top. The highly complex nature of cybersecurity means non-technical executives and other stakeholders will be happy to assume that the CISO has things well in hand; however, this erroneous assumption can often lead to the rest of the organization avoiding accountability for security.
CISOs usually come from highly technical backgrounds and possess a breadth and depth of cyber knowledge—but they may not have the broader experience needed to relate this expertise to business operations. It's common to find highly knowledgeable CISOs who struggle to communicate cyber risk and put it into a business context.
Cybersecurity effectiveness hinges on understanding flowing both ways. Alongside non-technical stakeholders getting a clear picture of cyber risk, CISOs also need to recognize how security fits into the rest of the enterprise. They must be able to clearly communicate how security activity is enabling core business operations.
So how do they reach this point?
Developing Skills And Building Strategies
CISOs need to upskill and evolve. This means moving away from their traditional focus on technical enablement and toward a more simplified approach that non-technical stakeholders, company-wide, can better understand.
Making these changes requires self-reflection and honesty from CISOs about their skill sets and operating methods. They must recognize if their communication skills are bridging the gap between security and the wider business. Are they building a strategic plan that meshes with business priorities, or are they focusing on smaller, more easily solved tactical issues?
Developing a more strategic skill set will help CISOs operationalize security better. Cybersecurity is a journey that needs to map out outcomes, impact and the business' unique environment and operations.
Pursuing a tick-box approach is no longer enough. Simply putting measures in place to achieve regulatory compliance or cybersecurity certifications does not mean that these processes effectively keep the company secure.
Instead, cybersecurity effectiveness hinges on outcomes. Security must be a part of the business process, actively and measurably enabling business success. Once security is embedded in this way, all stakeholders will be able to understand security effectiveness and accountability just as quickly as they can for mainstays like sales and finance.
For example, have you considered what business functions will suffer from the biggest impact if they are affected by a breach? How does this view align with different stakeholders? If there are differing thoughts, how can they be unified and addressed?
What are your plans and preparations for an attack if you know your highest-risk assets? Do you have the processes, reporting, and communication to deal with a threat effectively and ensure long-term resilience?
A New Operating Model For Cybersecurity
Answering these questions requires an operating model that uses its technology platform to decentralize cybersecurity, turning complex data into something more digestible for stakeholders.
Because cyber risks threaten the entire business, improving security must be a company-wide responsibility. Everyone must be part of the cybersecurity process and aware of their role and responsibilities.
A top-down approach can help instill this sense of responsibility and bake security into the company culture without impacting the performance of core operations. Teams at the top, including the executive leadership team, can take accountability for each area, implementing and following the proper security measures.
Reinforcing this, the CISO must translate highly technical security issues into something the entire business can understand. This demands a robust set of KPIs for cybersecurity effectiveness, focusing on numbers that can be translated to the board and stakeholders to provide context. The right KPIs also make drawing a direct line between security targets and the wider organization’s business goals easier. This enables stakeholders to make more informed decisions about security investments.
Improving Cybersecurity Effectiveness Together
Article resource:
Không có nhận xét nào:
Đăng nhận xét
Lưu ý: Chỉ thành viên của blog này mới được đăng nhận xét.