Aligning objectives: the business vs cyber-security

Joseph Carson at Delinea explains how to transform cyber-security to become business security 

 

Cyber-security can play a fundamental part in helping organisations to grow, succeed, and build a strong competitive advantage. Its function has evolved beyond that of safeguarding and protecting the company - keeping networks and data secure - to enable and facilitate an organisation’s business objectives to be achieved. 

 

However, many businesses may be missing opportunities as they fail to recognise the role of cyber-security in achieving these wider goals. For both the company’s board and security leaders this expansion in purpose to ‘business enablement’ requires innovative approaches and new ways of measuring and demonstrating the value of cyber-security.

 

To better understand these challenges, we surveyed 2000 security leaders from around the world to assess the level of perceived alignment between cyber-security departments and the business. We also investigated the skill sets of security leaders in areas such as communications and business acumen, as well as the organisational structures currently in place and the metrics used to demonstrate the value of success.

 

The findings provide an insight not only into where organisations are currently struggling but also how cyber-security leaders can seize the opportunity to make a more significant contribution to the success of the company and evolve from company ‘gatekeepers’ to business enablers. 

 

The pitfalls of misalignment 

First and foremost, we found that 61% of IT security decision makers think leadership overlooks the role of cyber-security in business success, whilst less than half feel that their cyber-security goals are extremely aligned with their broader business goals.

 

This disconnect appears to pose significant risks, as 87% of respondents in the UK reported it has caused at least one negative impact to their company cyber security in the past year: from an increase in successful attacks (21%), to delayed investment (37%), lack of budget allocation (35%), or unnecessary spending (20%).

 

Perhaps unsurprisingly, the misalignment also impacted the well-being of the security team with nearly a third of all respondents (30%) reporting increased levels of stress. 

 

The present economic climate has exacerbated team’s challenges with 51% stating that aligning cyber-security and broader business goals is becoming more difficult to achieve as a result. 

 

Bridging the cap between cyber-security and business

Despite this misalignment having tangible effects, it is not all gloom and doom. There are several strategies that companies and cyber-security leaders can adopt to ensure security teams are engrained as "enablers” in business processes.

 

Running effective meetings, based on clear processes. Contrary to conventional wisdom, alignment does not necessarily require frequent face-to-face meetings. Rather, it is achieved when teams interact with each other on an ongoing basis to enhance mutual understanding, and when they share common goals, and collectively measure success.  

 

Although 55% of UK respondents reported that business and cyber-security teams meet regularly to make decisions and assess progress, and that cyber-security team members are embedded within different business functions, less than half (48%) said they have a documented process for alignment, and in almost one third of cases (32%) alignment happens on an ad-hoc basis, only “when needed.”

 

Developing skills.  Increasingly, CISOs must be business strategists with the ability to influence the board and drive their agenda forward. However, as their focus has always been on security issues, they should consider acquiring and developing skills in areas like communications, managing or de-escalating stressful situations and making a business case to effectively align with their business counterparts.

 

That said, it may be hard to find to perfect blend in one person and cyber-security leaders should also consider bringing in talent from non-traditional backgrounds to work with their teams. 

 

Revisiting reporting structures. Aligning goals also involves reviewing reporting lines and accountability to reflect the strategic importance of cyber-security. The research revealed that around 35% of UK respondents currently report to the CIO and 23% report to the CEO.

 

However, there is no one-size-fits-all approach and it’s important that reporting lines are structured according to each organisation’s needs.

 

For example, reporting to the CEO makes the company security posture visible at board level and can facilitate securing additional budget, while a direct line report to the CIO ensures that IT security is fully integrated into the organisation’s IT strategy and that the security of the organisation’s IT systems is addressed promptly and effectively. 

 

Alignment between business and security goals

Notably, our research revealed that the success of cyber-security programmes is still largely evaluated based on technical or activity-based metrics, such as the number of prevented or contained attacks.

 

While these are important measures of the effectiveness of security controls, cyber-security leaders can improve alignment with clear and measurable goals linked to the organisation’s business success, such as: 

• Risk management metrics: This evaluates the effectiveness of identifying and mitigating cyber-security risks, considering the frequency of incidents and response times.
•  Compliance metrics: These track the company’s ability to adhere to regulatory and industry compliance standards for cyber-security.
•  Business continuity metrics: These assess the capability to maintain operations during a cyber-security incident, including downtime duration and recovery time.
•  Cost metrics: These track the cost of implementing and maintaining cyber-security measures relative to the overall budget.
•  Productivity metrics: These measure the efficiency of onboarding new employees or vendors, including providing necessary resources and access.

These metrics clearly demonstrate the impact cyber-security has on business outcomes and ensure the company’s leadership is fully invested in the security team’s work. 

 

Cyber-security has a critical role to play in business enablement. Nonetheless, it’s essential that everyone has a shared understanding of the benchmarks for success. This will reap huge dividends, not only in improving the resilience of the business, but also ensuring it can truly thrive. 

 

---

 

Joseph Carson is Chief Security Scientist at Delinea

 

Main image courtesy of iStockPhoto.com