January 20, 2016 By Derek Brink 4 min read

This is Part 2 in our six-part series on creating a strategy map for security leaders. Read Part 1 here.

The first row of our strategy map for security leaders is about the question that security professionals seem to struggle with the most: What value do you provide?

Confusing Activity With Results

Part of the problem is simply the way we have all come to talk with one another in society. For example, when we meet someone for the first time, it’s only natural to ask, “What do you do?” And it’s only natural that they respond with some variation of their role or job title: “I’m a researcher”; “I teach math”; “I sell enterprise software”; and “I’m the chief information security officer at company X.”

Inquire further, and this new acquaintance is likely to respond with more detail about his or her activities at work. But activity is not synonymous with value. Activity may be the means by which value is created, but the activity itself is not the answer to the extremely relevant business question: What value do you provide?

This confusion of activity with results is why many security professionals mistakenly try to associate metrics initiatives (i.e., a dashboard of performance against preselected outcomes and ongoing trends) and reporting initiatives (i.e., the periodic demonstration of compliance to auditors) — both of which should really be thought of as work progress — with the value that they are providing to the organization. Work progress is important, but it does not represent value.

As noted in “Self-Improvement Agenda for CISOs: What Is Top of Mind for 2015?,” security leaders reported that they feel they are highly effective at communicating things that are important but have limited strategic value — for example, compliance and cost.

For the things that have high strategic importance to the organization, however — such as managing security-related risks or enabling new business initiatives — they feel they are currently much less effective at communicating than they would like to be. It seems obvious that focusing on those strategic outcomes and communicating them more effectively is the key to providing value and remaining relevant.

A Proper Understanding of Risk

A second problem is that a surprising number of security professionals don’t really have an accurate understanding of risk. Here are four specific aspects of risk that warrant an honest reality check.

Definition of Risk

There’s no controversy or disagreement about the proper definition of risk; it’s just that we often don’t use it properly! Risk is the likelihood of something occurring and the business impact if that thing actually does occur. If we’re not talking in terms of likelihood and business impact, we’re not really talking in terms of risk.

Language of Risk

We all do it from time to time, but highly technical people seem especially prone to using the terms threats, vulnerabilities and exploits as synonyms for risk. For example, is phishing a risk? No, it isn’t; phishing is an exploit. Specifically, phishing is an exploit of a vulnerability, which is a human user.

In this situation, what business leaders need to know from their information security team is how likely it is that the organization’s users will fall victim to a phishing attack and what the business impact of a successful phishing attack is estimated to be.

Response to Risk

Not all risks need to be addressed. Some risks may be accepted; some risks may be ignored, which is another form of acceptance; some risks may be transferred to other parties; and some risks may be managed to an acceptable level through an investment in a mix of technical, administrative and physical controls.

A great many security professionals firmly believe in their hearts — mistakenly — that the fundamental objective of information security is to counter all threats, remediate all vulnerabilities and eliminate all risks. The goal is not to implement the best possible security. On the contrary, the goal is to take steps to reduce security-related risks to an acceptable level.

Types of Risk

Not all risk is bad. In fact, business leaders routinely pursue positive or rewarded risks, day in and day out, by making business decisions such as launching a new product line, entering a new market, acquiring a new company, investing in a new technology initiative and so on.

As discussed in “Self Improvement Agenda for CISOs: Four Types of Business Value, Two Types of Risk,” the unrewarded risks of security and compliance have to do with defending assets, minimizing downside and protecting value. Rewarded risks have to do with enabling assets, maximizing upside and creating value. The key point is that both rewarded and unrewarded risks have to do with making decisions and allocating resources in the face of uncertainty. For many rewarded risks, information security has an important role to play as an essential enabler.

The Value of Information Security: Addressing Security-Related Risks With a Strategy Map

With these important clarifications in mind, the answer to information security’s existential question is actually pretty straightforward: The value of information security is to help the organization address its security-related risks.

On the strategy map for security leaders, this is explicitly represented in two parts — manage unrewarded risks and enable rewarded risks — to give equal emphasis to both the traditional, technology-oriented mindset of security professionals and the emerging business-oriented mindset of the next-generation CISO.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today