This is Part 2 in our six-part series on creating a strategy map for security leaders. Read Part 1 here.

The first row of our strategy map for security leaders is about the question that security professionals seem to struggle with the most: What value do you provide?

Confusing Activity With Results

Part of the problem is simply the way we have all come to talk with one another in society. For example, when we meet someone for the first time, it’s only natural to ask, “What do you do?” And it’s only natural that they respond with some variation of their role or job title: “I’m a researcher”; “I teach math”; “I sell enterprise software”; and “I’m the chief information security officer at company X.”

Inquire further, and this new acquaintance is likely to respond with more detail about his or her activities at work. But activity is not synonymous with value. Activity may be the means by which value is created, but the activity itself is not the answer to the extremely relevant business question: What value do you provide?

This confusion of activity with results is why many security professionals mistakenly try to associate metrics initiatives (i.e., a dashboard of performance against preselected outcomes and ongoing trends) and reporting initiatives (i.e., the periodic demonstration of compliance to auditors) — both of which should really be thought of as work progress — with the value that they are providing to the organization. Work progress is important, but it does not represent value.

As noted in “Self-Improvement Agenda for CISOs: What Is Top of Mind for 2015?,” security leaders reported that they feel they are highly effective at communicating things that are important but have limited strategic value — for example, compliance and cost.

For the things that have high strategic importance to the organization, however — such as managing security-related risks or enabling new business initiatives — they feel they are currently much less effective at communicating than they would like to be. It seems obvious that focusing on those strategic outcomes and communicating them more effectively is the key to providing value and remaining relevant.

A Proper Understanding of Risk

A second problem is that a surprising number of security professionals don’t really have an accurate understanding of risk. Here are four specific aspects of risk that warrant an honest reality check.

Definition of Risk

There’s no controversy or disagreement about the proper definition of risk; it’s just that we often don’t use it properly! Risk is the likelihood of something occurring and the business impact if that thing actually does occur. If we’re not talking in terms of likelihood and business impact, we’re not really talking in terms of risk.

Language of Risk

We all do it from time to time, but highly technical people seem especially prone to using the terms threats, vulnerabilities and exploits as synonyms for risk. For example, is phishing a risk? No, it isn’t; phishing is an exploit. Specifically, phishing is an exploit of a vulnerability, which is a human user.

In this situation, what business leaders need to know from their information security team is how likely it is that the organization’s users will fall victim to a phishing attack and what the business impact of a successful phishing attack is estimated to be.

Response to Risk

Not all risks need to be addressed. Some risks may be accepted; some risks may be ignored, which is another form of acceptance; some risks may be transferred to other parties; and some risks may be managed to an acceptable level through an investment in a mix of technical, administrative and physical controls.

A great many security professionals firmly believe in their hearts — mistakenly — that the fundamental objective of information security is to counter all threats, remediate all vulnerabilities and eliminate all risks. The goal is not to implement the best possible security. On the contrary, the goal is to take steps to reduce security-related risks to an acceptable level.

Types of Risk

Not all risk is bad. In fact, business leaders routinely pursue positive or rewarded risks, day in and day out, by making business decisions such as launching a new product line, entering a new market, acquiring a new company, investing in a new technology initiative and so on.

As discussed in “Self Improvement Agenda for CISOs: Four Types of Business Value, Two Types of Risk,” the unrewarded risks of security and compliance have to do with defending assets, minimizing downside and protecting value. Rewarded risks have to do with enabling assets, maximizing upside and creating value. The key point is that both rewarded and unrewarded risks have to do with making decisions and allocating resources in the face of uncertainty. For many rewarded risks, information security has an important role to play as an essential enabler.

The Value of Information Security: Addressing Security-Related Risks With a Strategy Map

With these important clarifications in mind, the answer to information security’s existential question is actually pretty straightforward: The value of information security is to help the organization address its security-related risks.

On the strategy map for security leaders, this is explicitly represented in two parts — manage unrewarded risks and enable rewarded risks — to give equal emphasis to both the traditional, technology-oriented mindset of security professionals and the emerging business-oriented mindset of the next-generation CISO.

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…