October 14, 2016 By Bob Kalka 4 min read


Over the past several years, the widespread escalation of cybersecurity focus by boards and governments around the globe has increased the visibility, funding, influence and sophistication of the role of an organization’s cybersecurity leader — often in that order.

This has, in turn, placed a far greater responsibility on the chief information officer (CIO) to better understand the challenges, treatments, trade-offs and impacts of cybersecurity approaches in terms of the organization’s IT investments, from policy to risk management controls, staffing and skills development.

In light of the current cybersecurity skills gap, CIOs today must engage with boards and/or government agencies while ensuring that security is efficiently deployed and operational. These executive actions significantly impact the risk profiles of the organizations they support.

In my 22 years of engaging with C-level executives and boards, one of the most consequential issues on cybersecurity readiness and execution has been the organizational inertia that slows down or outright stops any progression on the risk management initiatives that can improve the organization’s posture. This inertia results from a lack of awareness, an insufficient focus on gaining awareness and an unwillingness to definitively address the most well-defined yet underserved cybersecurity issues organizations face today.

Top Cybersecurity Issues

It is crucial that CIOs are aware of these issues. They must understand the plans and programs to address the issues so they can properly represent and support these initiatives across the organization’s broader IT investments.

Let’s take a look at the most pressing issues to determine what CIOs should do next to help improve their risk management positions. These top issues fall into three categories:

  • Security strategy and transformation;
  • Security operations and response; and
  • Information risk and protection.

Security Strategy and Transformation

At its core, cybersecurity is a risk management discipline. Its ultimate goal is to ensure the health of the organization and its IT operations in the face of the growing and evolving cybercrime landscape.

But what if I were to tell you that the vast majority of cybersecurity programs have actually focused very little on addressing business risk management? It’s true. Unfortunately, my research and experience reveals that most organizations actually tailor their cybersecurity programs to primarily address compliance mandates.

Why does this matter? Because compliance is necessary but insufficient for achieving corporate risk management goals. A security program based on compliance focuses on audit management. This means ensuring all the necessary check boxes related to a given compliance initiative are addressed as opposed to assuring the ongoing operation of the organization.

Need proof? As Computerworld pointed out, it has become almost a cliche to even mention the many well-documented security incidents affecting major organizations.

Three Questions for the Cybersecurity Leader

It is crucial for organizations to shift their cybersecurity programs towards a risk management focus. A recent study by the Darwin Deason Institute for Cyber Security at Southern Methodist University in Dallas, Texas, sponsored by IBM, outlined some best practices for accomplishing this goal. Based on these insights, here are some questions CIO should ask the cybersecurity leader to determine the most appropriate next steps to move the program forward.

1. What Is the Prioritized List of Business Risks That Our Leaders Have Explicitly Identified as the Focus Our Cybersecurity Program?

Many organizations lack a healthy level of interaction between lines of business, IT and the cybersecurity leader to explicitly identify the top business risks. As a result, IT departments tend to build cybersecurity programs that attempt to address every potential and perceived threat, regardless of risk level or impact. This spreads finite cybersecurity skills and investments too thinly across broad initiatives.

The leadership team must identify this prioritized list of business risks to properly tune and optimize both the cybersecurity program and the technologies deployed to implement the risk management controls. CIOs must take an active part in driving this interaction and understand how the prioritized risks impact their current IT investments.

2. What Is the Framework of Risk Management Controls Upon Which We’re Building Our Cybersecurity Program to Address the Prioritized Business Risks?

Where there’s an overworked cybersecurity program, there’s typically a frantic IT leader trying to address every issue within one of the industry’s standard risk management frameworks, such as COBiT, ISO or NIST.

Rather than boiling the ocean, CIOs should determine which subset of risk management controls (within one of the standardized frameworks) best address the prioritized business risks. Then they can adopt this customized view as the prioritized and visualized strategic focus of the cybersecurity program. CIOs must review this with cybersecurity leaders to ensure their programs are congruent with these priorities.

3. What Is the Plan for Addressing the Prioritized Gaps in Maturity for the Risk Management Controls That We’ve Identified as Most Crucial?

The best practice here is to analyze, typically on an annual basis, the organization’s current maturity versus desired maturity against each chosen risk management control. The CIO should then build an execution plan based on prioritizing the resulting gaps.

Therein lies the challenge: Today, there are more than 200,000 unfilled cybersecurity jobs. Some experts expect that number to balloon to more than 1.5 million by 2020. It seems no one has enough skills to address all the identified gaps. So what’s a CIO to do?

In an environment where limited cybersecurity skills are then norm, security leaders should strongly consider innovative approaches, such as highly integrated solutions and cloud-based delivery of cybersecurity capabilities. CIOs must participate in these reviews to ensure proper resource planning and prioritization.

This is just the first installment in a three-part series addressing cybersecurity for the CIO. Tune in next week for the answers to the next two questions.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today