For an organization to achieve its goals, all departments must work together and not in isolation. Unfortunately, Forrester reports that 97% of organizations believe there is a misalignment between cybersecurity priorities and business outcomes.
There are several reasons for this perception. In some cases, security features may be misunderstood and poorly communicated, or may not be properly owned and maintained. Because cybersecurity management typically intersects with other business functions, this can negatively impact an organization's ability to manage risk, control costs, and maintain business agility.
So how can cybersecurity leaders justify the business value of cybersecurity and improve alignment with business objectives? Here are five best practices to consider.
- Always put business first.
Security teams exist to serve the business, not the other way around. While it is true that modern businesses undergoing digital transformation should not ignore the importance of cybersecurity, security leaders can help business leaders understand and appreciate the value and benefits that cybersecurity capabilities can provide to their organizations. It is also true that we need to help. This requires empathy and the ability to see the world from a business perspective and express it in business terms. It also requires alignment of thought, effective stakeholder engagement, and collaboration so that security management always complements business objectives.
- From risk tolerance to risk balance.
Traditionally, a board of directors or supervisory committee determines an organization's risk tolerance or appetite. Security leaders must maintain that level of tolerance. However, tolerances are often subjective, and conflicts are likely to occur when applying them to current or planned business activities. A more realistic approach is to consider the level of risk exposure balanced against ongoing regulatory requirements, cost, and agility in terms of achieving business objectives. For this reason, security professionals must perform extensive scenario planning that allows enterprises to take a more balanced view of risk. Remember, not all risks are bad. Risks can create business opportunities if properly managed in collaboration with risk owners.
- Leverage corporate governance to support your value message.
Over the years, security teams have historically faced the challenge of only being considered useful when an incident or crisis occurs. Because governance oversees the activities of the security function even in normal times, it can provide the board with a useful explanation of where the overall value lies. This is where the security her leader's relationship building skills come in handy. For example, an executive director can support security conversations and serve as a valuable spokesperson in aligning security activities with the business mission and objectives. Although security leaders may not have a seat at the table or the opportunity to contribute directly, advocates can help generate board discussion on topics related to network vulnerabilities.
- Increase efficiency and increase value.
Security teams must complement the speed of an organization's evolution with corresponding adaptations of security controls. Otherwise, waste and inefficiency can quickly build up and erode its value. Opportunities to improve security efficiency include:
- Business process reengineering: Thinking differently about the design of controls and processes, moving away from the concept of “this is how we've always done it,” can increase the efficiency of the security controls implemented in your organization.
- automation: If the process is well understood, highly reproducible, and has low error rates, consider automating it whenever possible.
- innovation: New technologies such as artificial intelligence and machine learning provide organizations with efficient ways to apply security controls.
- Develop your leadership skills and strengthen your security brand.
A strong brand and culture helps define the identity of your security team and helps business stakeholders recognize the value security brings to your organization. To gain a reputation for relevance, security professionals can apply the following leadership skills:
- Learn negotiation skills: Prioritize what is in the best interest of your business. Compromises often need to be made when it comes to risk tolerance and security issues. Don't hesitate to make short-term concessions, as they can lead to long-term gains.
- Improve your soft skills: Changing your personal style and approach, such as increasing your emotional intelligence and honing your communication skills, can change stakeholder perceptions and lead you to be seen as more approachable and amenable.
- Show positivity: Think and act proactively and strategically, demonstrating how security can support your strategy, increase revenue, and maintain profitability.
Security leaders must be recognized by their boardroom colleagues as a commercially viable, innovative, and well-resourced function that supports the organization's strategic ambitions and mediates the balance between business strategy and risk. I hope. Prioritizing the business, moving from risk tolerance to risk balance, and developing leadership skills will help security teams confidently present their value proposition and be better positioned to achieve the organization's business objectives. Helps achieve the effect.
Steve Durbin, Chief Executive, Information Security Forum
