October 14, 2016 By Bob Kalka 4 min read

Over the past several years, the widespread escalation of cybersecurity focus by boards and governments around the globe has increased the visibility, funding, influence and sophistication of the role of an organization’s cybersecurity leader — often in that order.

This has, in turn, placed a far greater responsibility on the chief information officer (CIO) to better understand the challenges, treatments, trade-offs and impacts of cybersecurity approaches in terms of the organization’s IT investments, from policy to risk management controls, staffing and skills development.

In light of the current cybersecurity skills gap, CIOs today must engage with boards and/or government agencies while ensuring that security is efficiently deployed and operational. These executive actions significantly impact the risk profiles of the organizations they support.

In my 22 years of engaging with C-level executives and boards, one of the most consequential issues on cybersecurity readiness and execution has been the organizational inertia that slows down or outright stops any progression on the risk management initiatives that can improve the organization’s posture. This inertia results from a lack of awareness, an insufficient focus on gaining awareness and an unwillingness to definitively address the most well-defined yet underserved cybersecurity issues organizations face today.

Top Cybersecurity Issues

It is crucial that CIOs are aware of these issues. They must understand the plans and programs to address the issues so they can properly represent and support these initiatives across the organization’s broader IT investments.

Let’s take a look at the most pressing issues to determine what CIOs should do next to help improve their risk management positions. These top issues fall into three categories:

  • Security strategy and transformation;
  • Security operations and response; and
  • Information risk and protection.

Security Strategy and Transformation

At its core, cybersecurity is a risk management discipline. Its ultimate goal is to ensure the health of the organization and its IT operations in the face of the growing and evolving cybercrime landscape.

But what if I were to tell you that the vast majority of cybersecurity programs have actually focused very little on addressing business risk management? It’s true. Unfortunately, my research and experience reveals that most organizations actually tailor their cybersecurity programs to primarily address compliance mandates.

Why does this matter? Because compliance is necessary but insufficient for achieving corporate risk management goals. A security program based on compliance focuses on audit management. This means ensuring all the necessary check boxes related to a given compliance initiative are addressed as opposed to assuring the ongoing operation of the organization.

Need proof? As Computerworld pointed out, it has become almost a cliche to even mention the many well-documented security incidents affecting major organizations.

Three Questions for the Cybersecurity Leader

It is crucial for organizations to shift their cybersecurity programs towards a risk management focus. A recent study by the Darwin Deason Institute for Cyber Security at Southern Methodist University in Dallas, Texas, sponsored by IBM, outlined some best practices for accomplishing this goal. Based on these insights, here are some questions CIO should ask the cybersecurity leader to determine the most appropriate next steps to move the program forward.

1. What Is the Prioritized List of Business Risks That Our Leaders Have Explicitly Identified as the Focus Our Cybersecurity Program?

Many organizations lack a healthy level of interaction between lines of business, IT and the cybersecurity leader to explicitly identify the top business risks. As a result, IT departments tend to build cybersecurity programs that attempt to address every potential and perceived threat, regardless of risk level or impact. This spreads finite cybersecurity skills and investments too thinly across broad initiatives.

The leadership team must identify this prioritized list of business risks to properly tune and optimize both the cybersecurity program and the technologies deployed to implement the risk management controls. CIOs must take an active part in driving this interaction and understand how the prioritized risks impact their current IT investments.

2. What Is the Framework of Risk Management Controls Upon Which We’re Building Our Cybersecurity Program to Address the Prioritized Business Risks?

Where there’s an overworked cybersecurity program, there’s typically a frantic IT leader trying to address every issue within one of the industry’s standard risk management frameworks, such as COBiT, ISO or NIST.

Rather than boiling the ocean, CIOs should determine which subset of risk management controls (within one of the standardized frameworks) best address the prioritized business risks. Then they can adopt this customized view as the prioritized and visualized strategic focus of the cybersecurity program. CIOs must review this with cybersecurity leaders to ensure their programs are congruent with these priorities.

3. What Is the Plan for Addressing the Prioritized Gaps in Maturity for the Risk Management Controls That We’ve Identified as Most Crucial?

The best practice here is to analyze, typically on an annual basis, the organization’s current maturity versus desired maturity against each chosen risk management control. The CIO should then build an execution plan based on prioritizing the resulting gaps.

Therein lies the challenge: Today, there are more than 200,000 unfilled cybersecurity jobs. Some experts expect that number to balloon to more than 1.5 million by 2020. It seems no one has enough skills to address all the identified gaps. So what’s a CIO to do?

In an environment where limited cybersecurity skills are then norm, security leaders should strongly consider innovative approaches, such as highly integrated solutions and cloud-based delivery of cybersecurity capabilities. CIOs must participate in these reviews to ensure proper resource planning and prioritization.

This is just the first installment in a three-part series addressing cybersecurity for the CIO. Tune in next week for the answers to the next two questions.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today