By Candy Alexander, CISSP, CISM, NeuEon Cyber Risk Leadership Practice Lead & CISO
As we reach the end of National Cybersecurity Awareness Month, we’re reflecting on the inspiring discussions we’ve had with other cybersecurity leaders — and realizing that, while we talk a lot about business alignment, few of us have fully achieved it. Instead, we’re hyper-focused on technology, because that’s the language we speak! We usually have a high-level understanding of business strategy and goals but don’t consistently use it to directly inform cyber planning. The result? We can’t trace technical needs to business strategy or benefits, and execs are compelled to make investment decisions based on instinct and their confidence in our guidance.
Without business alignment, we are doing cybersecurity wrong. Our business leaders need our expertise to understand cyber business risks, present strategic options based on total costs, and implement solutions. It seems, however, that many of us jump straight to tactical implementations, omitting the alignment of cyber risk to business strategy. And this omission has left some very important conversations off the table.
To right this wrong, we must shift our conversations with the business, keeping in mind that, at its core, a successful cybersecurity program is about three key components:
- Applying basic security measures — the things we have to do to keep our organization safe from the common threats every business is exposed to;
- Understanding the business strategy and defining potential inherent risks associated with each strategic objective; and
- Identifying and implementing security measures to reduce, mitigate, or transfer those risks.
To add the most business value, we need to create a foundation of cyber-business alignment across these activities. And if we put all our efforts toward basic security measures and fail to prioritize business alignment, we’re doing it wrong — and probably wasting resources on work that doesn’t directly impact business strategy.
The Time for Cyber-Business Alignment is Now
We’re living through a time in which cybersecurity demands have escalated rapidly, and it has been challenging to stay ahead of the curve. This makes cyber-business alignment more critical than ever. Strong alignment enables organizations to make wise cyber investments, optimize constrained resources, make progress on strategic goals, and manage business risk. And while cyber-business alignment will look and feel different in each organization, we see a few defining characteristics:
- Cyber leaders play a key role in strategic planning.
In a cyber-business aligned program, CISOs and CIOs are actively involved throughout business strategy development and budgeting cycles across business units, providing input and sparking discussions. This involvement is not an annual or bi-annual activity — it’s an on-going conversation integrated into the organization’s planning processes. Cyber leaders are true partners and strategic advisors to all areas of the business.
As a result, cyber leaders gain a deeper understanding of business strategy and goals, and business leaders begin to understand how cyber risks may affect their decisions. Ongoing collaboration builds an environment of transparency, communication, and trust. And when that takes root, business and cyber leaders find it much easier to stay in alignment and provide faster responses to business needs in a more risk-averse way.
- Cyber leaders use cyber-business risk analysis as an essential tool.
As leadership teams develop and evolve the business strategy, cybersecurity strategists and leaders focus on cyber risk, identifying potential cyber threats related to each strategic objective and describing the potential business implications. They define options and costs for removing, mitigating, or transferring risks to other parties. And they probe to learn which risks the organization is willing to accept.
This enables cybersecurity leaders to develop cyber risk profiles for each component of the business strategy, describing potential cyber risk in business terms, suggesting mitigation efforts, and providing high-level investment projections. Executives then have the information they need to make wise investment decisions, for example, buying certain technologies or services, with an understanding of where the money is going and why.
- Business strategy and risk analysis drive cybersecurity planning.
In an organization that has achieved cyber-business alignment, cyber leaders fully understand business strategy. They’ve discussed cyber risks and ways to manage them with their executives. They’ve developed cyber risk profiles. And they use this information as the foundation for creating their cybersecurity roadmaps.
The benefits are clear: Cybersecurity efforts can be directly traced to business objectives and risks. Initiatives that don’t support business needs or are not part of the “business as usual” safeguards are lowered in priority or reduced in nature. Operational teams are able to create sound cybersecurity implementation plans that target the most important business needs. And it’s easier for cyber leaders to quantify how their work delivers business value and reduces business risk — all of which supports the ROI that cyber professionals have attempted to develop over the years without much success.
This is what cyber-business alignment looks like and the benefits it delivers to the organization. And this is what we should all aspire to if we want to provide the most value to the business.
Three Steps to Align the Cyber-Business Conversation
As a CISO, CIO or other cyber leader, you can begin making progress toward achieving cyber-business alignment today. Founded on our experience working with top-level executives and security leaders, here are our top three recommendations for accelerating the creation of a strong, business-aligned cybersecurity program in your organization.
- Step up, get involved, and lead.
Ideally, you want a seat at the leadership table across business units when strategy and budget planning is happening. But it’s not that simple — because being invited to the table doesn’t mean others will understand the technology conversation. So, it’s critical that, when you do have a seat, you’ve internalized how technology and risk reduction can support the organization in achieving its business goals and you listen and learn in order to gain a clear understanding of the business direction and the plan to get there.
If you need help getting that seat at the table, identify people to advocate for you. This may be a CFO or a CTO — or another leader who has a specific interest in cybersecurity and understands its importance. It could be a high-level executive or a few business unit leaders that get what you do. Build trusted relationships, share your opinions and goals, and, ultimately, your champions may hold the key that gets you in the door.
Most importantly, don’t wait for that seat to provide your expertise! Find out how strategy is evolving, so you can provide guidance before the business asks. Ask leaders questions, like: What are the top three things our organization is focused on in the next fiscal year? Where does our organization foresee our biggest investments in the next three years? Provide guidance on the potential cyber risks to the strategy and options for mitigating them. You might also ask to be invited to certain meetings in which you think your expertise could be helpful. Or you could bring small business groups together to share information about the latest cyber information — with a business-spin, of course. Use your voice to demonstrate how you can add value to the business instead of being the “department of no.” Your business partners will appreciate the effort and begin to look to you for advice in advance of making business decisions.
- (Deeply) Own your role in driving cyber-business alignment.
Whether you have a seat at the table or not, it’s time to step up and own your responsibility for understanding the business objectives and how they may introduce cyber risk. And then, (and here’s the important part), be able to convey the cyber risk as it relates to the business objectives and the options to avoid or lessen the risk in business terms. Don’t jump directly to tactical solutions. Don’t skip the conversations with business leaders about risk decisions. This provides them the information they need to make the decision of risk action. They own that responsibility.
Participate in the full planning cycle leveraging the cyber-business alignment practices described above. Let’s say your organization wants to shift the business strategy to a direct-to-consumer (DTC) model. You would use the DTC business strategy to create a cyber risk profile, which would outline:
- The strategic business risks, for example, the potential for increased PCI/DSS scope, fraudulent orders, and reputational damage caused by a consumer data breach. This is what the business needs to understand from a risk perspective.
- The anticipated impact on resources, for example, increased spend on PCI/DSS compliance, investment in anti-fraud technology, costs for increased protection of customer data to meet CCPA and GDPR requirements, increased spend for cyber insurance, and potentially the need for additional people to support new investments.
You would use the cyber risk profile to have conversations with business leaders that drive mutual understanding and cyber-business alignment. Keep in mind that discussions should be high-level and always tied back to business strategy. Execs don’t need to know what specific anti-fraud technologies you’re using, unless they’re interested. So, don’t start the conversation with details — it’s strategy first, then tactics if they ask — and only when they ask.
In general, stop leading with tech-speak. Learn to lead with terms that resonate with business partners, and they will pay attention. Start with business context and needs, and only bring in technology recommendations after you understand what’s most important to the business. Practice how to clearly articulate the business perspective and coach your teams to do the same. Develop this business-first mindset and promote it through all technical groups. Remember, technology is meant to support the business, and not usually to BE the business!
- Measure cyber-business alignment to baseline, benchmark, and improve.
Gaining transparency into the alignment of your cybersecurity efforts with business strategy is difficult, but powerful. Many cybersecurity frameworks, like the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, emphasize the importance of using business drivers to guide cybersecurity activities and consider cyber risk. However, if you subscribe strictly to them, you’re likely missing business alignment and jumping straight into technical and operational activities. For example, when an assessor measures the effectiveness of your program, he or she will probably use the NIST SP800-53 framework and its 965 security controls, which is missing the business end of the conversation. In all fairness to NIST, the framework was created for the United States Federal Government’s information systems and organizations, not for business. The same thing can be said of the International Standards Organization’s ISO/IEC 27000 cybersecurity framework.
To enable the measurement of a cybersecurity program’s alignment with the business, we must look to other models. There are some out there. Unfortunately, however, they’re not well known or understood. But they can be useful tools to evaluate what’s most important for your business to measure and, one could argue, adopting their practices can save the organization valuable resources, in the forms of money, time, and support.
At NeuEon, we plan to lead the charge for cyber-business alignment. We’ve developed a unique assessment tool — the Cybersecurity Business Alignment Radar — which measures the business alignment of an organization’s cybersecurity capabilities. It creates a view across five business dimensions using components of NIST’s Program Review for Information Security Assistance (PRISMA) model.
As we’ve used the radar with clients, we’ve aggregated data to form baseline measurements that provide a better understanding of the current state of cyber-business alignment across companies and industries. In reviewing the data, it’s not surprising that organizations score higher in the domains of regulatory compliance and security awareness than they do in areas involving cybersecurity in the business, program review committees to review corporate investment initiatives, or participation in corporate governance processes. Where do you think your organization stands?
Bottom line, in our efforts to protect our organizations, many of us have been focused on managing the details and adhering to implementation frameworks and compliance checklists. It’s time for us to lift our heads up, gain a seat at the table, and begin having conversations to help us understand the business — so we can better align our efforts to support it.
Reach out if you’d like to learn more about how to establish a baseline measurement of cyber-business alignment in your organization and benchmark your performance against other businesses.
Candy Alexander, CISSP, CISM, is a leader in the field of cybersecurity leadership, an experienced CISO, and NeuEon’s Cyber Risk Leadership Practice Lead. She is International President of the Information Systems Security Association (ISSA), a long-time Director on the ISSA board, and an ISSA Distinguished Fellow.