Over the past several years, the widespread escalation of cybersecurity focus by boards and governments around the globe has increased the visibility, funding, influence and sophistication of the role of an organization’s cybersecurity leader — often in that order.
This has, in turn, placed a far greater responsibility on the chief information officer (CIO) to better understand the challenges, treatments, trade-offs and impacts of cybersecurity approaches in terms of the organization’s IT investments, from policy to risk management controls, staffing and skills development.
In light of the current cybersecurity skills gap, CIOs today must engage with boards and/or government agencies while ensuring that security is efficiently deployed and operational. These executive actions significantly impact the risk profiles of the organizations they support.
In my 22 years of engaging with C-level executives and boards, one of the most consequential issues on cybersecurity readiness and execution has been the organizational inertia that slows down or outright stops any progression on the risk management initiatives that can improve the organization’s posture. This inertia results from a lack of awareness, an insufficient focus on gaining awareness and an unwillingness to definitively address the most well-defined yet underserved cybersecurity issues organizations face today.
Top Cybersecurity Issues
It is crucial that CIOs are aware of these issues. They must understand the plans and programs to address the issues so they can properly represent and support these initiatives across the organization’s broader IT investments.
Let’s take a look at the most pressing issues to determine what CIOs should do next to help improve their risk management positions. These top issues fall into three categories:
- Security strategy and transformation;
- Security operations and response; and
- Information risk and protection.
Security Strategy and Transformation
At its core, cybersecurity is a risk management discipline. Its ultimate goal is to ensure the health of the organization and its IT operations in the face of the growing and evolving cybercrime landscape.
But what if I were to tell you that the vast majority of cybersecurity programs have actually focused very little on addressing business risk management? It’s true. Unfortunately, my research and experience reveals that most organizations actually tailor their cybersecurity programs to primarily address compliance mandates.
Why does this matter? Because compliance is necessary but insufficient for achieving corporate risk management goals. A security program based on compliance focuses on audit management. This means ensuring all the necessary check boxes related to a given compliance initiative are addressed as opposed to assuring the ongoing operation of the organization.
Need proof? As Computerworld pointed out, it has become almost a cliche to even mention the many well-documented security incidents affecting major organizations.
Three Questions for the Cybersecurity Leader
It is crucial for organizations to shift their cybersecurity programs towards a risk management focus. A recent study by the Darwin Deason Institute for Cyber Security at Southern Methodist University in Dallas, Texas, sponsored by IBM, outlined some best practices for accomplishing this goal. Based on these insights, here are some questions CIO should ask the cybersecurity leader to determine the most appropriate next steps to move the program forward.
1. What Is the Prioritized List of Business Risks That Our Leaders Have Explicitly Identified as the Focus Our Cybersecurity Program?
Many organizations lack a healthy level of interaction between lines of business, IT and the cybersecurity leader to explicitly identify the top business risks. As a result, IT departments tend to build cybersecurity programs that attempt to address every potential and perceived threat, regardless of risk level or impact. This spreads finite cybersecurity skills and investments too thinly across broad initiatives.
The leadership team must identify this prioritized list of business risks to properly tune and optimize both the cybersecurity program and the technologies deployed to implement the risk management controls. CIOs must take an active part in driving this interaction and understand how the prioritized risks impact their current IT investments.
2. What Is the Framework of Risk Management Controls Upon Which We’re Building Our Cybersecurity Program to Address the Prioritized Business Risks?
Where there’s an overworked cybersecurity program, there’s typically a frantic IT leader trying to address every issue within one of the industry’s standard risk management frameworks, such as COBiT, ISO or NIST.
Rather than boiling the ocean, CIOs should determine which subset of risk management controls (within one of the standardized frameworks) best address the prioritized business risks. Then they can adopt this customized view as the prioritized and visualized strategic focus of the cybersecurity program. CIOs must review this with cybersecurity leaders to ensure their programs are congruent with these priorities.
3. What Is the Plan for Addressing the Prioritized Gaps in Maturity for the Risk Management Controls That We’ve Identified as Most Crucial?
The best practice here is to analyze, typically on an annual basis, the organization’s current maturity versus desired maturity against each chosen risk management control. The CIO should then build an execution plan based on prioritizing the resulting gaps.
Therein lies the challenge: Today, there are more than 200,000 unfilled cybersecurity jobs. Some experts expect that number to balloon to more than 1.5 million by 2020. It seems no one has enough skills to address all the identified gaps. So what’s a CIO to do?
In an environment where limited cybersecurity skills are then norm, security leaders should strongly consider innovative approaches, such as highly integrated solutions and cloud-based delivery of cybersecurity capabilities. CIOs must participate in these reviews to ensure proper resource planning and prioritization.
This is just the first installment in a three-part series addressing cybersecurity for the CIO. Tune in next week for the answers to the next two questions.
Vice President, IBM Security Business Unit