January 20, 2016 By Derek Brink 4 min read

This is Part 2 in our six-part series on creating a strategy map for security leaders. Read Part 1 here.

The first row of our strategy map for security leaders is about the question that security professionals seem to struggle with the most: What value do you provide?

Confusing Activity With Results

Part of the problem is simply the way we have all come to talk with one another in society. For example, when we meet someone for the first time, it’s only natural to ask, “What do you do?” And it’s only natural that they respond with some variation of their role or job title: “I’m a researcher”; “I teach math”; “I sell enterprise software”; and “I’m the chief information security officer at company X.”

Inquire further, and this new acquaintance is likely to respond with more detail about his or her activities at work. But activity is not synonymous with value. Activity may be the means by which value is created, but the activity itself is not the answer to the extremely relevant business question: What value do you provide?

This confusion of activity with results is why many security professionals mistakenly try to associate metrics initiatives (i.e., a dashboard of performance against preselected outcomes and ongoing trends) and reporting initiatives (i.e., the periodic demonstration of compliance to auditors) — both of which should really be thought of as work progress — with the value that they are providing to the organization. Work progress is important, but it does not represent value.

As noted in “Self-Improvement Agenda for CISOs: What Is Top of Mind for 2015?,” security leaders reported that they feel they are highly effective at communicating things that are important but have limited strategic value — for example, compliance and cost.

For the things that have high strategic importance to the organization, however — such as managing security-related risks or enabling new business initiatives — they feel they are currently much less effective at communicating than they would like to be. It seems obvious that focusing on those strategic outcomes and communicating them more effectively is the key to providing value and remaining relevant.

A Proper Understanding of Risk

A second problem is that a surprising number of security professionals don’t really have an accurate understanding of risk. Here are four specific aspects of risk that warrant an honest reality check.

Definition of Risk

There’s no controversy or disagreement about the proper definition of risk; it’s just that we often don’t use it properly! Risk is the likelihood of something occurring and the business impact if that thing actually does occur. If we’re not talking in terms of likelihood and business impact, we’re not really talking in terms of risk.

Language of Risk

We all do it from time to time, but highly technical people seem especially prone to using the terms threats, vulnerabilities and exploits as synonyms for risk. For example, is phishing a risk? No, it isn’t; phishing is an exploit. Specifically, phishing is an exploit of a vulnerability, which is a human user.

In this situation, what business leaders need to know from their information security team is how likely it is that the organization’s users will fall victim to a phishing attack and what the business impact of a successful phishing attack is estimated to be.

Response to Risk

Not all risks need to be addressed. Some risks may be accepted; some risks may be ignored, which is another form of acceptance; some risks may be transferred to other parties; and some risks may be managed to an acceptable level through an investment in a mix of technical, administrative and physical controls.

A great many security professionals firmly believe in their hearts — mistakenly — that the fundamental objective of information security is to counter all threats, remediate all vulnerabilities and eliminate all risks. The goal is not to implement the best possible security. On the contrary, the goal is to take steps to reduce security-related risks to an acceptable level.

Types of Risk

Not all risk is bad. In fact, business leaders routinely pursue positive or rewarded risks, day in and day out, by making business decisions such as launching a new product line, entering a new market, acquiring a new company, investing in a new technology initiative and so on.

As discussed in “Self Improvement Agenda for CISOs: Four Types of Business Value, Two Types of Risk,” the unrewarded risks of security and compliance have to do with defending assets, minimizing downside and protecting value. Rewarded risks have to do with enabling assets, maximizing upside and creating value. The key point is that both rewarded and unrewarded risks have to do with making decisions and allocating resources in the face of uncertainty. For many rewarded risks, information security has an important role to play as an essential enabler.

The Value of Information Security: Addressing Security-Related Risks With a Strategy Map

With these important clarifications in mind, the answer to information security’s existential question is actually pretty straightforward: The value of information security is to help the organization address its security-related risks.

On the strategy map for security leaders, this is explicitly represented in two parts — manage unrewarded risks and enable rewarded risks — to give equal emphasis to both the traditional, technology-oriented mindset of security professionals and the emerging business-oriented mindset of the next-generation CISO.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today