The days of siloed departments and disconnected projects are over,nespecially where security and threat management are concerned. AnindyanChatterjee, CISSP, CCSP, discusses some considerations for bridging thengaps between cybersecurity teams and organizational leadership tonimprove communications and understanding.
nnIn today’s digital world, data security is no longer a closed door, isolatednfunction. The security team no longer caters only to the immediatenday-to-day organization and its supporting functions. The responsibility ofna security professional have expanded beyond corporate boundaries to impactnindividuals outside the organization (customers, suppliers etc.) as well.nEvery human is touched by security in one way or another.n
nnWhen we as security professionals say that a recipient needs to be verifiednfirst before a bank transfer or transaction can be made, people get it. Whennwe state that clicking a link in an email without knowing its truendestination is a risk, people get it. The reason for that isnstraightforward, most “not so techie” people know what a loss, scam ornfraudulent transaction might bring to them. In short, they will lose theirnhard-earned money, their identity or even their privacy.n
nnSo, if the importance of security is so easy to understand then why is it sondifficult to make organizations or leadership groups aware of the risk thatna vulnerability might bring? Why is it so difficult to gain budgets for annew technology or even expand the team? How do we address the understandingnand awareness gap between security teams and leadership?n
nn
nTo Narrow a Gap
nn
nnWith reference to the previous scenario, the problem lies with us securitynprofessionals as well as with the leaders.n
nnTraditionally, information security teams have been perceived as thendepartment of “no”. The function is perceived as a hinderance to businessnand not an enabler. This needs to change. If we are able to align thensecurity strategy with the organizations wider strategy then things willnaccelerate in a good way. Security teams need to forge relationships withnpeople in the organization who can speak the language of business in ordernto create or improve the perception of value from the security team.nAccording to recent research, by 2028, 30% of a CISOs’ effectiveness will bendirectly measured on their ability to create value for the business. So, howndo we create value?n
nnThis five-step approach will help every security team dealing with thisnchallenge;n
nn
nDefine What Security Is
nnMost organizations have policies, processes and guidelines in place, butnwhat is often missing is the vision statement. Have a vision statementndefining “what is information security for the organization”, rather thannfocusing on random functions or technologies. It should be a short, crispnand simple to understand vision of the security function which aligns withnthe business vision and objectives. This will enable each and everynindividual in the leadership and the security team to understand thenobjective and then relate on how to achieve it as part of the biggernpicture.n
nReturn on Capital Invested
nn
nnEvery security activity needs to have a defined ROI. Financial numbersncreate a big impact with organization leaders If they see that investing inna product or tool enables them to reach the market faster or even providesnthem with a strategic advantage, delivers against their goals and alsonpositions them ahead of competition. Leadership will definitely look atnsecurity as an investment rather than a cost centre.n
nn
nnUpgrade the Leadership, Thinking and Decision Making
nnThe organization’s leaders are usually industry experts – although notnnecessarily cybersecurity experts. They know how to secure investment, hownto position the organization etc. However, that Is not sufficient in thendigital economy. This is because the digital economy relies on data, a hugenand dynamic resource. Data and the threats to it change in a much fasternway. To keep up with this in a fast-moving economy, leaders need to be madenaware of how things work and their interdependencies. For instance, whatnimpact a failure of a security measure might bring both financially andnreputation wise. They need to be made aware of the capabilities of a givenntechnology that is important to the organization. This will enable crossnfunctional usage and also help move the organization forward.n
nn
nDefine the Risk the Business is Ready to Take
nn
nnEvery business, based on its present market positioning or the data itnhandles, has a risk appetite. Defining this will enable the security andnbusiness teams to select the right tools for the organization and preventnunnecessary spending which are within the appetite and focus on controlsnwhich will enable the business the grow and flourish.n
nn
nVisualization
nn
nnThe information security world is full of keywords, phrases andnterminologies that although very important to us hold no meaning fornbusiness leaders. If we use the same visualization of risk, impact andnlikelihood for our security peers and organization leadership, will thenunderstanding be the same for both? The answer is no. It’s important to havendifferent levels and approaches for visualization for different teams.nSecurity teams need to drill down on security states for applications,nnetworks, controls etc. and take actions. On the other side, leaders maynneed to have a broader look at security posture of the organization, ancomprehensive analysis against its competitions, along with industry andnregulatory alignment.n
nnThese will enable leadership to know what the security teams are doing, hownare they aligned and also what next to do. Thus bridging the gap.n
nnnAnindya Chatterjee, CISSP, CCSP, is a cybersecurity consultant with overn16 years of experience in consulting with IT, telecoms, financialnservices and insurance organizations.
n- n
- Our Cybersecurity Leaders Skill Builders courses tackle a number of key topics, including effective leadership. Find out more here n
- n
n