By now most CISOs understand that focusing your cybersecurity program on regulatory compliance is no longer sufficient. Meeting those requirements will always be a crucial part of cybersecurity — but only one part. Far too many other “unregulated” risks still abound.
Moreover, a cybersecurity program that focuses on compliance isn’t what the board should want from the CISO either. The board needs assurance that the organization’s cybersecurity program works effectively to help employees achieve business objectives, period. Regulatory compliance is one important part of that assurance, but it’s still only one part.
So CISOs have an opportunity to reorient their cybersecurity programs away from a focus on compliance, toward a focus on risk. The security program then becomes more of strategic advantage for the business, and the CISO becomes more of a strategic ally for the board and senior management.
Nifty idea. So how do we do that?
Start With Objectives and Risks
To adopt a risk-focused approach to cybersecurity, the CISO first needs to understand the organization’s strategic objectives.
Yes, compliance will always be one of those objectives, but consider some of the other objectives the organization has:
- Financial: How much revenue and profit does the firm want to achieve, and how quickly? What costs is the organization willing to accept or trying to control?
- Growth: How is the organization trying to grow: organically, or through acquisition? Where, physically, is the organization trying to grow? (Growth internationally poses a very different set of risks than growth in your home market.) Will that growth depends on any new products or services?
- Personnel: How will the organization use employees, contractors, or other third parties to achieve its goals? For example, will everyone work remotely forever, or return to the office by 2022? Will the mix of full-time and contract workers change over time?
Only when the CISO understands those strategic plans and objectives can you proceed to the next, more relevant question: How is the organization’s technology supposed to support those objectives?
For example, moving to cloud-based computing might help to contain costs and expand the hiring pool for personnel, since the company could allow employees to work remotely from anywhere. Stronger data analytics might help with market segmentation to develop new products or social media publicity campaigns. The company might scrap desktop PCs in favor of mobile devices. And, yes, better technology might help with more efficient regulatory compliance as well.
Understanding how technology supports the organization’s strategic objectives then lets the CISO ask the most relevant questions of all:
- What are the biggest risks to the use of those technologies?
- How do your cybersecurity controls and procedures work to keep those risks in check so that mission-critical processes can continue without disruption?
That’s how CISOs can adopt a risk-based focus to cybersecurity. Those two questions above can be the foundation for a risk assessment that considers all the security risks the organization faces. Regulatory compliance doesn’t fade in importance; instead, it becomes one of numerous concerns you need to address. Related: Cybersecurity Best Practices
Tie Together Risk, Security, and IT Governance
If the fundamental goal here is to safeguard your company’s IT assets so that employees can use those assets to pursue the organization’s objectives — that’s IT governance. Consider this formal definition of the term from Gartner:
IT governance is defined as the processes that assure the effective and efficient use of IT in enabling an organization to achieve its goals.
Cybersecurity has to play a central role in achieving IT governance. If the IT isn’t protected against threats, or if employees use it in a way that causes a compliance failure, those missteps hinder the organization’s ability to achieve its goals. So effective cybersecurity is crucial to IT governance, which is crucial to the organization’s overall success.
Yes, in a certain sense that’s always been true — but IT governance in the modern technology landscape is very different from the IT governance of 20 years ago, when the world was full of desktop PCs, rack servers in a spare closet, and ethernet cables.
The capabilities that are important for IT governance today are more along the lines of:
- Data security and data mapping
- Your ability to monitor network activity
- Provisioning and de-provisioning user access
- Security assessments for SaaS vendors your enterprise uses
Related: Risks You Need to Consider When Using SaaS Providers
So an important question to ask is simply: What’s getting in the way of effective IT governance?
A significant part of the answer is that compliance officers don’t have sufficient visibility into whether all the work of IT governance (the capabilities we mentioned above) is being performed consistently. That is, compliance officers don’t know whether the provisioning and de-provisioning of user access controls happens in a timely manner. They can’t tell whether data mapping is up to date or whether all SaaS providers in your enterprise have had security assessments completed.
What CISOs need, then, is the technology that allows them to drive better IT governance. That technology will have to accomplish two goals.
First, it will need to tie the risks you’ve identified (see our previous section about how to do that) to the policies, procedures, and controls you have in place. Or, if the risk you’ve identified ties to no controls, you know you have some remediation work to do.
Second, the technology will also need to assure that all those policies, procedures, and controls to protect IT assets are enforced consistently. And if they aren’t being enforced consistently, now you know that you have a problem that needs more of your attention.
Better Reporting to the Board
Shifting your cybersecurity program to focus on risks also has implications for what the CISO reports to the board or senior management.
One part of that report should still address compliance concerns, such as new regulatory compliance risks, mitigation work, or specific serious incidents. But focusing on risk also lets you talk more broadly about how well the security function is managing risks to the operation of IT assets. For example, select the IT assets that are most important to helping the company achieve its strategic objectives. Talk about the key security risks to those assets and the efforts you have underway to keep those risks in check. That’s a report that your board wants to hear.
This also means CISOs need to think about what new key risks should be included in their report. For example, you might want to review which mission-critical business processes depend on SaaS providers or outside technology vendors. You’d also want to discuss your ability to assess the security of those third parties or which ones have security assessments that remain incomplete and the state of your business continuity or disaster recovery plans.
Perhaps most importantly, your report should review efforts to bring your security program’s capabilities into alignment with the organization’s major strategic and operational risks — say, your ability to monitor network activity or to analyze IT usage activity for suspicious behavior and so forth. Those are the capabilities that let the security function support the business in today’s highly digital, highly regulated world. Your report to the board should demonstrate that you’re aware of that relationship and working to foster it.
The theme here is that your report shouldn’t simply recite the company’s regulatory compliance work. For most board members, most of the time, that’s minutiae that doesn’t need much of their attention. Foremost, your report should address how the security team is working to support business objectives by mitigating security risks that could jeopardize your use of technology.
That’s how the cybersecurity program becomes a stronger strategic asset to the business and your board — which is better for the data, better for the business, and, yes, better for the CISO too.
Monthly Newsletter