For an organization to achieve its goals, every department must work collectively and not in isolation. Unfortunately, Forrester reports that 97% of organizations believe there’s misalignment between cybersecurity priorities and business outcomes.
Several reasons account for this perception. Sometimes the security function is misunderstood and not well communicated, or it isn’t appropriately owned and maintained. This can have an adverse impact on an organization’s ability to manage risk, control costs and maintain business agility, since cybersecurity controls typically crisscross other business functions.
So how can cybersecurity leaders justify the business value of cybersecurity and improve alignment with business goals? Here are five best practices to consider:
- Always put the business first.
Security teams exist to serve the business and not the other way around. While it’s true that modern, digitally transformed businesses should not ignore the criticality of cybersecurity, it’s also true that security leaders need to help business leaders understand and appreciate the value and benefits that the cybersecurity function can offer the organization. This requires empathy and an ability to see the world from the perspective of the business and expressed in their terms. It also requires an alliance of mindsets, effective stakeholder engagement, and collaboration, ensuring that security controls always complement business objectives.
- Move from risk tolerance to risk balance.
Traditionally, the board or a supervisory committee determines an organization’s tolerance or appetite for risk. Security leaders must maintain that level of tolerance. However, tolerance is often subjective, which increases the chances for conflict when applying those tolerances to current or planned business activities. A more practical approach is to consider the level of risk exposure balanced against ongoing legal and regulatory requirements, cost, and agility in the context of meeting business objectives. This requires security practitioners to conduct extensive scenario planning that enables the business to see a more balanced view of risk. Remember, all risk isn’t bad. Risk can present a business opportunity, if managed appropriately and collaboratively with risk owners.
- Leverage corporate governance to support the value message.
For years, security teams have historically faced the challenge that they are only deemed useful when an incident or crisis occurs. As governance oversees the activities of security functions in peacetime as well, it can offer a useful narrative to the boardroom on where the total value exists. Here’s where a security leader’s relationship-building skills come in. For example, executive directors can serve as useful advocates in supporting the security conversation and aligning security activities to the missions and objectives of the business. Whereas security leaders may not have a seat at the table or direct opportunity to contribute, advocates can help generate boardroom discussions on topics related to network vulnerabilities.
- Drive efficiencies to enhance value.
Security teams must complement the speed at which the organization evolves with corresponding adaptations in security controls, otherwise waste and inefficiencies can quickly build and undermine their value. Opportunities for efficiency gains in security include:
- Business process re-engineering: By shifting away from the notion of “we’ve always done it this way” to thinking differently about the design of a control or process, it’s possible to drive efficiencies within the security controls implemented in the organization.
- Automation: When a process is well-understood and highly repeatable with a low error rate, consider automation where possible.
- Innovation: New technologies like artificial intelligence and machine learning can offer efficient ways of applying security controls to the organization.
- Hone leadership skills to strengthen the security brand.
A strong brand and culture will help define the security team’s identity and also enable business stakeholders to recognize the value that security brings to the organization. To earn a reputation for high relevancy, security practitioners can apply leadership skills from the following:
- Learn the art of negotiation: Favor what’s in the best interest of the business. It’s often necessary to compromise on risk tolerance and security matters. Don't hesitate to make short-term concessions, as they can lead to greater long-term gains.
- Improve soft skills: Changes in personal style and approach such as increasing emotional intelligence and refining communication skills, can alter stakeholder perceptions and result in leaders being regarded as more approachable and amenable.
- Show positivity: Think and act positively and strategically, demonstrate ways in which security can support strategy, increase revenue, and maintain profitability.
Security leaders want recognition by their boardroom peers as a division that’s commercially viable, innovative, supports the organization’s strategic ambitions, and has enough talent to broker a balance between business strategy and risk. Prioritizing the business, transitioning from risk tolerance to risk balance, and sharpening leadership skills will help security teams confidently showcase their value proposition and achieve greater effectiveness in fulfilling the organization's business goals.
Steve Durbin, chief executive, Information Security Forum