October 14, 2016 By Bob Kalka 4 min read

Over the past several years, the widespread escalation of cybersecurity focus by boards and governments around the globe has increased the visibility, funding, influence and sophistication of the role of an organization’s cybersecurity leader — often in that order.

This has, in turn, placed a far greater responsibility on the chief information officer (CIO) to better understand the challenges, treatments, trade-offs and impacts of cybersecurity approaches in terms of the organization’s IT investments, from policy to risk management controls, staffing and skills development.

In light of the current cybersecurity skills gap, CIOs today must engage with boards and/or government agencies while ensuring that security is efficiently deployed and operational. These executive actions significantly impact the risk profiles of the organizations they support.

In my 22 years of engaging with C-level executives and boards, one of the most consequential issues on cybersecurity readiness and execution has been the organizational inertia that slows down or outright stops any progression on the risk management initiatives that can improve the organization’s posture. This inertia results from a lack of awareness, an insufficient focus on gaining awareness and an unwillingness to definitively address the most well-defined yet underserved cybersecurity issues organizations face today.

Top Cybersecurity Issues

It is crucial that CIOs are aware of these issues. They must understand the plans and programs to address the issues so they can properly represent and support these initiatives across the organization’s broader IT investments.

Let’s take a look at the most pressing issues to determine what CIOs should do next to help improve their risk management positions. These top issues fall into three categories:

  • Security strategy and transformation;
  • Security operations and response; and
  • Information risk and protection.

Security Strategy and Transformation

At its core, cybersecurity is a risk management discipline. Its ultimate goal is to ensure the health of the organization and its IT operations in the face of the growing and evolving cybercrime landscape.

But what if I were to tell you that the vast majority of cybersecurity programs have actually focused very little on addressing business risk management? It’s true. Unfortunately, my research and experience reveals that most organizations actually tailor their cybersecurity programs to primarily address compliance mandates.

Why does this matter? Because compliance is necessary but insufficient for achieving corporate risk management goals. A security program based on compliance focuses on audit management. This means ensuring all the necessary check boxes related to a given compliance initiative are addressed as opposed to assuring the ongoing operation of the organization.

Need proof? As Computerworld pointed out, it has become almost a cliche to even mention the many well-documented security incidents affecting major organizations.

Three Questions for the Cybersecurity Leader

It is crucial for organizations to shift their cybersecurity programs towards a risk management focus. A recent study by the Darwin Deason Institute for Cyber Security at Southern Methodist University in Dallas, Texas, sponsored by IBM, outlined some best practices for accomplishing this goal. Based on these insights, here are some questions CIO should ask the cybersecurity leader to determine the most appropriate next steps to move the program forward.

1. What Is the Prioritized List of Business Risks That Our Leaders Have Explicitly Identified as the Focus Our Cybersecurity Program?

Many organizations lack a healthy level of interaction between lines of business, IT and the cybersecurity leader to explicitly identify the top business risks. As a result, IT departments tend to build cybersecurity programs that attempt to address every potential and perceived threat, regardless of risk level or impact. This spreads finite cybersecurity skills and investments too thinly across broad initiatives.

The leadership team must identify this prioritized list of business risks to properly tune and optimize both the cybersecurity program and the technologies deployed to implement the risk management controls. CIOs must take an active part in driving this interaction and understand how the prioritized risks impact their current IT investments.

2. What Is the Framework of Risk Management Controls Upon Which We’re Building Our Cybersecurity Program to Address the Prioritized Business Risks?

Where there’s an overworked cybersecurity program, there’s typically a frantic IT leader trying to address every issue within one of the industry’s standard risk management frameworks, such as COBiT, ISO or NIST.

Rather than boiling the ocean, CIOs should determine which subset of risk management controls (within one of the standardized frameworks) best address the prioritized business risks. Then they can adopt this customized view as the prioritized and visualized strategic focus of the cybersecurity program. CIOs must review this with cybersecurity leaders to ensure their programs are congruent with these priorities.

3. What Is the Plan for Addressing the Prioritized Gaps in Maturity for the Risk Management Controls That We’ve Identified as Most Crucial?

The best practice here is to analyze, typically on an annual basis, the organization’s current maturity versus desired maturity against each chosen risk management control. The CIO should then build an execution plan based on prioritizing the resulting gaps.

Therein lies the challenge: Today, there are more than 200,000 unfilled cybersecurity jobs. Some experts expect that number to balloon to more than 1.5 million by 2020. It seems no one has enough skills to address all the identified gaps. So what’s a CIO to do?

In an environment where limited cybersecurity skills are then norm, security leaders should strongly consider innovative approaches, such as highly integrated solutions and cloud-based delivery of cybersecurity capabilities. CIOs must participate in these reviews to ensure proper resource planning and prioritization.

This is just the first installment in a three-part series addressing cybersecurity for the CIO. Tune in next week for the answers to the next two questions.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today