How CISO’s Manage Cybersecurity as a Business Function


How CISO’s Manage Cybersecurity as a Business Function
November 14th, 2019

In order to effectively allocate resources, track improvements to security posture overtime and achieve security and risk objectives,  security leadership must run cybersecurity as a business function. This sounds simple, but in practice, managing the business of security and risk presents many challenges. Many CISOs are stuck on an endless hamster wheel of time-consuming and inefficient processes, relying upon disparate and incompatible tools to provide limited visibility into the whole program. 

It is critical that we improve upon this process in order to foster thoughtful and meaningful dialogs and to drive better security and risk outcomes for the enterprise.

ARE WE ASKING THE RIGHT QUESTIONS? AND CAN WE ANSWER THEM?

Often, as I work with security leaders, their first challenge is to set the right objectives and ask the right questions to measure success: 

  • What is the most effective way I can use my limited budget and resources to get our organization to a mature state?
  • How is my program performing against the planned budget? 
  • Are my current tools providing adequate control coverage?
  • How can I prioritize my resources and capital investments to achieve security & risk objectives? 
  • How do I align the security program to key business objectives, and demonstrate this alignment to non-technical executives?  

TO BE AN EFFECTIVE SECURITY LEADER, YOU MUST LEAD WITH A BUSINESS CONVERSATION

Leading an effective and meaningful executive dialog requires metrics and measurements that translate technical jargon into understandable and measurable business outcomes. When presenting to executive audiences, topics such as these will help to drive understanding between the technical activities your team undertakes and the business outcomes the organization receives.  

Here is a sample of topics you might consider presenting to non-technical executive audiences:

  • Overview of the organization’s security & risk posture
      • Explain how the business and key drivers of the business model connect with cyber and privacy risks.
      • Discuss the organization’s current posture and desired state
  • Present hot or emerging topic areas
      • Discuss how these topics do or do not impact your organization’s objectives.
      • Explain how the security organization is addressing these emerging areas.
  • Present data and trends that support your discussion topics
    • Assessments and frameworks – how are we managing the program?
    • Controls and participation – What are we doing to address key risk areas? Is it working? 
    • Budget and performance – What are the costs? Are we on track? 
    • Timelines – How long will it take and what resources are required to get us to our desired state?
    • Gaps and corrections – Where are we slipping? What changes could we make to optimize the program? 

“As a leader that has built several security programs the one constant challenge has been to objectively measure and manage the progress of the program over time. I joined the Trustmapp advisory board because I believe they are solving a real need around managing security as a true business program that will allow CISOs to focus on the right risks and demonstrate measurable progress to the board of directors towards an established set of goals. There are many new progressive technologies to  advise on but I chose TrustMAPP because I want to be a part of establishing a “ERP” like capability for security leaders similar to how P&L functions run their business.”  – Jason Lish, CISO of Advisor Group

THE COMPLEXITY OF SECURITY PROGRAMS MAKES PLANNING DIFFICULT

Preparing the materials for the agenda above can be a tall order if the data isn’t centrally located. For many security leaders, this is the case and it’s a challenge that can be solved with the right security performance management solution. By centralizing the entire security performance management program into a single tool, you can achieve the necessary visibility and insights you have been missing.

Conclusion & Next Steps:

Every organization will face more threats and risks than their budget can handle. With a centralized security performance management process, enabled by effective technology, you will be able to:

  • Prioritize projects, vendors and investments
  • Build the narrative to explain why investments are required
  • Demonstrate the performance of current investments
  • Easily evaluate numerous options and select the best plan that fits your budget and aligns with your objectives.

To learn more about implementing a security performance management solution, contact TrustMAPP.