Most CEOs will tell you security is an important aspect of their business operations. But too often, what’s deemed important by management doesn’t always translate into real priorities. We’ve seen too many cybersecurity teams stretched thin on staffing, overworked, and improperly aligned with the rest of the organization. This leaves companies vulnerable to cybersecurity threats, huge losses, and bad PR.
Recently, CyberSN Founder and CEO Deidre Diamond spoke with Dan Blum, Cybersecurity Strategist and Author of the book, “Rational Cybersecurity for Business: The Security Leader’s Guide to Business Alignment,” about this pervasive problem. Cybersecurity operations are complex, but the solution to better security is simple; companies must align business processes with cybersecurity operations.
Hear the discussion. Watch “Hire, Motivate, and Manage a Business-Aligned Cybersecurity Team.”
What is Cybersecurity-Business Alignment?
Blum, who has years of experience in the corporate security field at organizations like the Burton Group, Inc., and Gartner, defines cybersecurity-business alignment as:
“A state of agreement or cooperation between persons or organizations with a common security interest. It is enabled through security governance structures, processes, communication skills, and relationships that engage the business. When in a state of alignment, all business leaders, staff, and business-related processes act in accordance with clear roles and responsibilities to support the security program and strategy.”
In other words, alignment happens when cybersecurity is fully integrated into company operations, all employees understand the importance of security, and chief information security officers have input when important decisions are made. It also means funding cybersecurity teams and technology to allow them to do their job and do it well.
Unfortunately, many companies understaff their cybersecurity teams or silo them away from important projects and decision-making meetings. Management may understand that cybersecurity is a vital aspect of business but they are not clear on the investment required to do cybersecurity right. According to Blum, only 44% of boards of directors consider cybersecurity to be strategic. If more than half of directors say that cybersecurity is less important than other aspects of the business, then it will be nearly impossible for CISOs to get the resources they need.
“They may think they are funding it adequately but they are not giving it the attention required to make sure the work that’s being done is really fitting the business needs,” said Blum.
Misalignment Causes Problems
Corporate leaders want to run lean in hopes of maximizing profits, but as Diamond points out, the number one problem facing cybersecurity teams is the lack of budget to properly staff. The result is a cybersecurity team that feels stressed out, burned out, and has trouble disconnecting at the end of the work day. It also causes high turnover, putting more pressure on the team and more work on managers to fill an already hard-to-fill role.
This is especially troublesome in the CISO position. Most CISOs remain in the job less than three years. Considering how difficult these leaders are to replace and that it takes about six months for a new CISO to fully know a company’s security operations before even implementing a program, losing your CISO should be part of your risk prevention strategy.
After conducting more than 70 interviews of corporate security professionals, Blum learned that security breaches are often predictable when cybersecurity operations are not aligned. When a CISO is denied funding for security measures, it leaves companies vulnerable. Having a skeleton staff leaves the security operations in disarray. Poor integration into the rest of the company can lead to hundreds of millions of dollars in costs and ultimately the company’s top leaders stepping down.
What Does a Well-Aligned Security Program Look Like?
“The biggest problem that companies have is a lack of a definition of security that fits their business,” said Blum. Management must define how security applies to their business strategy, their vertical industry, the culture, mission and mandate of business, as well as what oversight of that security means, said Blum. Security is part of how companies do business in a digital environment and should be treated as such.
Here are some steps companies can take to ensure a well-aligned security program:
- Define what security to your company
- Have active executive oversight
- Clarify security roles
- Engage stakeholders
- Collaboratively developed IT/security standards
- Create DevSecOps and disciplined agile teams
- Training and communication for security-aware users
- Make security frictionless
Diamond emphasized how clearly defined cybersecurity roles is a major gap she’s seen in cybersecurity staffing. Roles that are poorly defined make it harder to recruit, but also make it more difficult to define accountability. These problems lead to dysfunctional teams and hinder retention. Companies also need to bake hiring and retention into the job description and responsibilities of managers, she said. Finding cybersecurity professionals takes work and time, as does investing in the relationship-building efforts and EQ training required for keeping those employees. Documenting it as part of the job shows that the company takes cyber staffing seriously.
Alignment Starts at the Top
How can teams make security as seamless as possible? It’s a question managers and executives should be asking regularly and work collaboratively throughout the organization to achieve. Enacting cybersecurity-business alignment can shed light on potential problems earlier in the process and open the door to new ideas and innovation.
“Through alignment you can release a lot of untapped potential,” said Blum. “Look for progress not perfection. Making some progress is really going to move the needle but it happens with the team. It’s a team sport.”