As operational and security risks converge in the enterprise, the role of the chief information security officer (CISO) is evolving and expanding. Today’s CISO is seated closer to the executive function than ever before, and tasked with educating executives on enterprise security.
According to a recent white paper from RSA, 82 percent of CISOs believe their executive leadership is on board with the security team’s efforts to protect the network and data. As security risks become increasingly intertwined with business risks, it’s no wonder the executive board is starting to catch on to the criticality of data security.
How to Build Two-Way Channels Between Security and the C-Suite
While the C-suite has become more aware of the importance of a security function, recent studies have shown that security is navigating complex cultural barriers between technology departments and the boardroom. Seventy percent of CISOs reported that managing the relationship between security and risk leaders can be difficult, according to the RSA white paper. This difficulty is attributed to a lack of shared technology, language, metrics and goals.
To effectively collaborate on a framework for enterprise risk management, CISOs must establish a common network of terminology, tools and shared success measures. While the rapidly expanding role of the CISO is an uncomfortable position for many of today’s security leaders, navigating communication barriers is key to mitigating security risks.
Don’t Overestimate Cybersecurity Preparedness
According to an IBM Institute for Business Value study titled “Securing the C-Suite,” 94 percent of chief executives believe their organization will probably experience a security incident in the next two years. While awareness is growing among business leaders, nearly half of surveyed executives had an overconfident view of enterprise security posture. While 65 percent of these executives are highly confident that their security response plans are well-established, just 17 percent of enterprises met the study criteria for a well-defined and implemented cybersecurity function.
At the most prepared enterprises, the executive function takes an active role in security risk mitigation through cross-functional collaboration, an empowered CISO and defined external collaboration efforts. The significant gap between the C-suite’s perception and reality underlines the importance of cross-functional collaboration between CISOs and business leadership. With nearly half of executives displaying overconfidence, there’s a clear need to improve security risk awareness in the boardroom.
5 Steps to Collaboratively Address Security Risks
While the CISO’s role is more important than ever, many enterprises have significant room to improve alignment between security and leadership. Unfortunately, it is mostly up to the CISO to ease cultural tensions and improve mutual understanding to establish effective cross-functional collaboration before security incidents arise. Let’s take a look at five steps security leaders can take to work more effectively with top management.
1. Collaborate Earlier
Proactive collaboration between business and risk can enhance cyber-preparedness. Forty-seven percent of CISOs believe exposing business risk leaders to IT initiatives earlier in the process can help the team more accurately assess the business risk of technology initiatives.
Federal Reserve CISO Devon Bryan told the Management Information Systems Training Institute (MISTI) that today’s security leaders need to “prioritize partnerships with business units” immediately.
“CISOs need to partner to ensure customer needs and expectations are met and go-to-market strategies are supported,” he said.
Productive collaboration in the boardroom requires security leaders to actively build relationships, pursue dialog, and make sure business leaders thoroughly understand security goals and strategies.
2. Create Shared Definitions
While today’s CISOs are well-versed in the language of security practices, such as patching cadence, many lack formal knowledge of business risk assessment. Similarly, chief risk officers and other executives are well-versed in business risk language, such as impact and likelihood, but lack insight into the complex technical aspects of the network.
Creating a shared taxonomy using definitions from the National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) is a good first step toward clearly defining security and business leaders’ goals and priorities when it comes to managing enterprise security risks.
3. Develop Unified Metrics
With shared language and an understanding of security’s role within the enterprise risk framework, CISOs should work collaboratively with the executive function to develop a key set of metrics for communicating enterprise risk and preparedness. In addition to clear success measures for cyberthreats, unified metrics should involve business units in actively securing the enterprise and employee awareness efforts.
In the MISTI article, Duke Health CISO Chuck Kesler advised enterprises to develop two or three shared annual performance goals around security and awareness. Documenting performance goals, he said, “keeps security on everyone’s radar and naturally creates opportunities to check in on progress.”
4. Formally Share Skills
Formal initiatives for a shared language and knowledge transfer between IT and risk management are critical prior to an incident. The enterprise can benefit from executive participation in drill exercises led by third-party consultants, the development of a joint competency taskforce and formal peer mentoring efforts.
5. Rely on Technology and Data
Security risk management is an inherently real-time practice. Effective, cross-functional collaboration and response requires shared tools that are likely unified by a common analytical core. To develop unified risk management models and frameworks, security leaders should first implement a comprehensive security incident and event management (SIEM) solution to improve network visibility.
Leveraging the help of expert consultants, CISOs should work to implement the necessary solutions for real-time reporting, augmented intelligence into internal and external anomalies, and response orchestration. Shared technologies among business and technology leaders can foster a common understanding the enterprise’s security posture and response capabilities.
It’s All About Finding Common Ground
While nearly half of today’s CISOs are still catching up with their expanding role in the enterprise, the convergence of cybersecurity and business risk have continued to elevate it. While today’s executive leaders are more risk-aware than ever before, CISOs must navigate new challenges around effective cross-functional collaboration and communication.
At the most cyber-prepared enterprises, the executive function is actively involved in the regular discussion of cybersecurity risks and preparedness. Effective collaboration requires shared understanding, and it’s up to today’s CISOs to develop common languages, metrics and technologies that span technologies and business units.