Written by Byron V. Ahid
The technology and best practices for treating cybersecurity as a business enabler rather than a nuisance cost center have long been readily available.
Related: Data privacy and data security
However, this is still a new concept for most companies. A report from Forrester Research highlights why acquiring and maintaining a robust cybersecurity posture is a competitive advantage.
Forrester's report provides a roadmap for CIOs, CISOs, and privacy directors to drive this transformation by weaving informed privacy and security practices into every aspect of their business. This ranges from physical and informational assets to customer experience and investment strategies.
the last guard dog We sat down with Forrester analyst Heidi Hsieh, lead author of the report, to discuss how this can work well and contribute to the overall greater good. The exchange below has been edited for clarity and length.
LW: This is not an easy shift. Can you describe the barriers and obstacles that companies might encounter?
Shay: A common barrier is framing and clearly articulating the values and objectives of cybersecurity and privacy programs. Traditionally, the internal focus has been on protecting systems and data at the lowest possible cost based on compliance requirements.
Compliance is important and important, but with this change we need to recognize that it is a floor rather than a ceiling when it comes to our approach. The difference is whether you build your program with your customers in mind and include these features. Here, you're trying to align your business and IT strategies and brand value to improve customer value. This is a key element in building trust within an organization.
LW: How can companies effectively measure the success of integrating cybersecurity and privacy into their operations?
Shay: This is an issue that requires a maturity assessment. By understanding the key competencies required for this type of change, organizations can better assess their current maturity level and identify capabilities that need to be strengthened to further improve. These key functions are categorized into her four competencies: Oversight, Process Risk Management, Technology Risk Management, and People Risk Management.
For example, process risk management capabilities include how well an organization implements security and privacy in its customer-facing products and services, as well as its internal processes. It also covers the ability to extend security and privacy requirements to third-party partners and respond quickly and effectively to external questions from stakeholders such as customers, auditors, and regulators.
During this maturity assessment, you can begin to zero in on areas for improvement. If you currently perform certain activities in an ad hoc manner, establishing repeatable processes for them can help you move to the next level of maturity.
LW: Changing culture is very difficult. What should CIOs and CISOs expect after joining the company? What fundamental rethinking is needed?
Shay: First, reconsider your own relationships, especially the trust and empathy between your CIO and CISO. You need to be a partner to drive this forward. When CIOs and CISOs operate in silos and do not have a common vision, goals, and values, broader organizational culture change becomes difficult.
LW: Some forward-thinking companies are going down this path, right? What have we learned from them? What are the rewards?
Shay: yes. This goes back to the point I made earlier about the important consequences of building customer trust within an organization. Trustworthy organizations pay dividends. Our research and data on consumer trust prove this. Customers who trust your company are more likely to buy again, share their personal data, and take other revenue-generating actions.
Another benefit is that business partnerships will be strengthened. We operate today in a world where your business is a risk and how you adapt is an opportunity. Companies view doing business with you as a risk, whether they buy products or services or share data with you. The ability to comply with the security requirements of the partner or her B2B customers will be critical.
LW: What approach should small and medium-sized organizations take? What are the basic first steps?
Shay: As a first step, resist the urge to buy technology. You can't build in the foundation of something you haven't already built, so emphasize strategy and oversight of your cybersecurity and privacy program. Align with the control framework as a starting point.
This provides a common frame of reference for connecting policy, management, regulation, customer expectations, and business requirements. As your program matures, recognize that a Zero Trust approach can help you go beyond compliance.
Perform a comprehensive assessment of technology and information risks to determine what is most important to your business and identify appropriate practices and controls to address those risks.
Set clear goals, including a roadmap and milestones of core competencies to build on. Identify clear lines of responsibility to make it transparent who is responsible for what and how each person on your team contributes to the success of your program.
Ahid
Byron V. Ahid, a Pulitzer Prize-winning business journalist, is dedicated to raising public awareness about how to make the Internet as private and secure as it should be.
April 1, 2024
