In Candy Alexander’s world, most technology and policy decisions boil down to the same key question: How does this align with strategic business objectives?
A member of Information Systems Security Association’s board of directors since 2002, Alexander successfully ran for ISSA president in 2017 after concluding that the not-for-profit association, which supports the career growth of security professionals through educational forums, publications and networking opportunities, lacked a business-oriented approach.
“In order for us to step up into the international arena… we really needed to start using business practices and methodologies,” said Alexander, who credits this strategy with helping ISSA stay profitable through an unpredictable 2020 in which the organization had to pivot its seminars and executive forums into virtual events due to COVID-19.
Click here for complete coverage of SC Media's 2020 Women in IT Security
The lack of business acumen that Alexander says was slowing down ISSA’s progress parallels the challenges facing many security leaders who fail to incorporate business needs into their technology implementation plans. “I still think a lot of us are getting it wrong,” said Alexander.
For this reason, Alexander tries to guide companies’ cyber strategies down a more business-aligned path via her independent consulting business and through her role as chief information security officer at NeuEon, an advisory firm created to help clients maximize their technical investments and optimize their operational performance.
Too often, security professionals develop their security budgets by identifying the tools and frameworks they want to have in place, without first considering the overall corporate vision, said Alexander.
But there’s a better way. For instance, Alexander recently asked the chief financial officer of one of her NeuEon clients – a high-end beauty care company – what the organization’s strategic goals were for the next five years. Among them was increasing direct-to-consumer sales. With that in mind, she created a risk profile for conducting more DTC business.
“Deepfakes, fraudulent products, financial risk in regards to credit card processing: so those are the things that the C-suite needs to know about and think about,” she said.
After conducting these analyses, Alexander next goes to “work with the technologists to decide what we can do to mitigate that risk, and then a budget is created,” she explains.
Alexander finds herself busier than ever these days. With COVID-19 requiring companies to adopt a work-from-home culture and more cloud-heavy IT infrastructure, Alexander believes this may be the golden age for virtual CISOs like her who offer “fractional CISO” services.
“We’re finding both companies that have a CISO or not are utilizing that lifeline,” she said, noting that it’s becoming “easier and [more] practical for companies to hire somebody on a retainer basis” and “just pull them in as needed” as an “executive-level security strategist.”
Prior to COVID, this vCISO strategy was typically more popular among smaller enterprises that couldn’t afford or attract a full-time CISO, said Alexander, but now larger enterprises also “are starting to see the value from a pure strategic standpoint, and it goes back to once again to that business alignment conversation.”
Alexander also attributes the cyber industry’s ever-widening cyber skills gap on a lack of business alignment.
“We have various initiatives that are all working to make it happen. But they’re very focused on filling the pipeline,” says Alexander. “It's not the sole fix. We're not looking at it from a root cause analysis perspective... It's about information security not knowing business.”
One possible solution, said Alexander, is looking at incorporating cyber into business schools’ lesson plans. “We've put a lot of focus in providing universities and college degree programs with solid cybersecurity curricula. But we didn't look at the business degree programs,” she said. “It's now time to start feeding cyber risk into those degree programs, so when we start talking about business risk, it's not just about financial risk… Now cyber risk is one of those things that are part of the curriculum.”