Why Are Security and Business Goals at Odds With Each Other?
By Joseph Carson
Few jobs right now can be more challenging than that of a CISO. Constantly on call, and under intense pressure, they’re not only keeping critical systems running and sensitive data protected, but also working to uphold a rapidly evolving list of regulatory demands.
Yet CISOs, along with their teams, do so much more than acting as the company ‘bodyguard’. They add significant business value enabling the organization to grow and evolve safely, and providing a route to delivering real competitive advantage, without compromising security. To do this, CISOs must be empowered to succeed with the resources and budget they need to protect the business.
All too often, however, CISOs can feel disconnected from the wider business goals and report difficulties in articulating their success with others in the organization. To achieve this, they need to have a “business-first” approach. This includes communicating with non-IT professionals, such as the C-suite, in language that is jargon-free and business orientated, as well as making security decisions based on how they will impact their firm.
IT security disconnected
A recent study by Thycotic of more than 500 IT security decision makers, including 100 UK respondents, discovered that nearly half of respondents (44%) believed their organization had difficulty in connecting the dots between IT security initiatives and the wider business goals. This is perhaps unsurprising given that more than a third (35%) are unclear as to what these goals are.
The issue of poor visibility of goals is not a one-way street. Our research also shows that IT security teams can have difficulty in demonstrating the value of their work to others in the organization. Around four in 10 (39%) respondents admitted that they are unable to measure the effect that previous security initiatives have had on their business.
However, the ability to demonstrate success in terms of value to the business is exactly what a board needs to see if they are going to make any informed decisions on how much they should invest in IT security. Nearly half of those surveyed (47%) said that the biggest difference to how IT security budget is allocated is evidence of the success and ROI of previous security initiatives.
It is clear that communication can be a serious issue, with IT security teams often disconnected from the rest of the organization. This is understandable; the pressures of having to keep an organization safe from cyber-criminals or malicious employees, keeping critical systems running and meeting regulatory demands, means that cybersecurity teams are often over-stretched.
In our survey, more than a third of respondents (36%) said that they had little idea of how other departments measured success while around the same number (38%) state that they don’t have business goals communicated with them. This is clearly not only bad news for IT security, but the organization as a whole.
Reconnecting with the rest of the business
The change must come from within; by taking a “business first” approach, CISOs can demonstrate their value to the wider organization. To achieve this, CISOs firstly need to take the time to listen to what the priorities of others in the business are and what they consider to be measures of success. By doing this, they will be able to demonstrate how the technology they are implementing not only makes the organization more secure, but also helps others meet their goals.
How the IT security team achieves this needs to be communicated to others within the organization so that they are able to realize the value the department brings. This starts with the CISO being able to explain clearly to the board, in language they understand, about what the department is doing to protect the revenue of the company – in effect becoming the “Chief Revenue Protection Officer”. They should avoid using “vanity metrics” such as the number of vulnerabilities patched, or threats blocked as these can confuse non-technical colleagues.
By taking this “business first” approach CISOs will be able to get board buy-in for further security improvements and initiatives.
To get broader support from colleagues, a company-wide IT security program should be implemented to foster awareness around what is being done to tackle key security issues. This includes the appointment of “Cyber Ambassadors” who are able to turn technical jargon into plain English to help inform others of the security team’s goals, as well as building organization-wide co-operation to help forewarn of any suspicious activity, such as phishing attempts.
Ultimately, great cybersecurity is reliant on great communication. This is necessary not only to let colleagues know about potential risks, but also to ensure that security teams are empowered with the right resources to protect the business.