[BreachExchange] Link Cybersecurity to Business Outcomes

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jun 15 20:21:26 EDT 2017


http://cio.economictimes.indiatimes.com/tech-talk/link-
cybersecurity-to-business-outcomes/2421

Cybersecurity is no longer just an IT problem.

As digital business evolves to include ecosystems and the open digital
world, cybersecurity needs to evolve from a back-office “IT” problem to an
enterprisewide business consideration. These digital business needs will be
supported by technologies, and the CIO will be responsible for implementing
those technologies, as well as communicating to the executive team that
security must be treated just like any other risk-based discipline in the
business. After all, actions like securing externally owned infrastructure
and establishing digital trust with customers is tied to both cybersecurity
and corporate performance.

Business value is the best lens for CIOs to appropriately manage technology
risk and cybersecurity. CIOs engaging their peer executives to better
understand the business value of IT will have more rigor and defensibility
when their business case is tied to corporate performance dependencies on
technology.

There is no such thing as perfect protection
IT professionals know there is no risk-free security. Unfortunately,
executives think that with enough money and staff, IT can create a
risk-free security setup. In the inevitable event of a hack or data breach,
the blame falls squarely on the IT professionals. CIOs need to share the
narrative that appropriate levels of security balance the need to protect
with the need to run the business. This will enable more manageable
expectations, and turns risk and security into a business function.

Failure to assess the risks of a specific technology are parallel to
business risk failures, such as a failure to complete due diligence during
a merger.

In the day-to-day of business, executives often make risk-based decisions.
CIOs need to get executives to expand their understanding and appetite for
risk to include technologies that now support business endeavors. CIOs
should frame the risk in the context of how it affects the business
outcome. Once business outcomes dependent on technology are considered at
risk, business and IT leaders can decide if the risk is acceptable or if
another option is needed.

People are a security problem and can be a solution
It’s well-known that people are the biggest security risk, but they can
actually also be a security asset. In the digital world, there has been a
huge influx of technology and employee access to options such as mobile
devices with company email. Old security techniques, including centralized
control with mouse pads and posters with security catchphrases, are no
longer efficient or sufficient means of managing security. The new approach
must be designed to directly impact behavior. People are just as vital to
success and failure in security as they are in risk and failure for the
business. CIOs need to create a people-centric approach to security that
shapes behavior.

Act on security, don’t just talk
Most risk-assessment programs are very good at appraising risks, writing
reports and surveying executives, but these reports rarely influence actual
decisions and, as such, have little impact on risk. Failure to assess the
risks of a specific technology are parallel to business risk failures, such
as a failure to complete due diligence during a merger.

Ensure that these risk assessments are simple and to the point, and deliver
just enough information and defensibility to support specific decision
making on a particular project. Develop a dashboard of leading technology
indicators linked to business outcomes. By mapping business outcomes to
technology dependencies, CIOs will be able to identify the five to nine
metrics to demonstrate both the business value of IT and the appropriate
status of risk and security to executives and the board of directors. These
metrics will link effective technology metrics to business outcomes to
improve corporate performance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170615/5f63fbac/attachment.html>


More information about the BreachExchange mailing list