Five ways security leaders can demonstrate the business value of cybersecurity
For an organization to achieve its goals, every department must work collectively and not in isolation. Unfortunately, Forrester reports that 97% of organizations believe there’s misalignment between cybersecurity priorities and business outcomes.
Several reasons account for this perception. Sometimes the security function is misunderstood and not well communicated, or it isn’t appropriately owned and maintained. This can have an adverse impact on an organization’s ability to manage risk, control costs and maintain business agility, since cybersecurity controls typically crisscross other business functions.
So how can cybersecurity leaders justify the business value of cybersecurity and improve alignment with business goals? Here are five best practices to consider:
Always put the business first.
Security teams exist to serve the business and not the other way around. While it’s true that modern, digitally transformed businesses should not ignore the criticality of cybersecurity, it’s also true that security leaders need to help business leaders understand and appreciate the value and benefits that the cybersecurity function can offer the organization. This requires empathy and an ability to see the world from the perspective of the business and expressed in their terms. It also requires an alliance of mindsets, effective stakeholder engagement, and collaboration, ensuring that security controls always complement business objectives.
Move from risk tolerance to risk balance.
Traditionally, the board or a supervisory committee determines an organization’s tolerance or appetite for risk. Security leaders must maintain that level of tolerance. However, tolerance is often subjective, which increases the chances for conflict when applying those tolerances to current or planned business activities. A more practical approach is to consider the level of risk exposure balanced against ongoing legal and regulatory requirements, cost, and agility in the context of meeting business objectives. This requires security practitioners to conduct extensive scenario planning that enables the business to see a more balanced view of risk. Remember, all risk isn’t bad. Risk can present a business opportunity, if managed appropriately and collaboratively with risk owners.
Leverage corporate governance to support the value message.
For years, security teams have historically faced the challenge that they are only deemed useful when an incident or crisis occurs. As governance oversees the activities of security functions in peacetime as well, it can offer a useful narrative to the boardroom on where the total value exists. Here’s where a security leader’s relationship-building skills come in. For example, executive directors can serve as useful advocates in supporting the security conversation and aligning security activities to the missions and objectives of the business. Whereas security leaders may not have a seat at the table or direct opportunity to contribute, advocates can help generate boardroom discussions on topics related to network vulnerabilities.
