Every security leader within every organisation has to deliver to two primary mandates – ensure the company is secure and compliant, and that the C-suite remains on board with security expenditure. Neither is easy. Regardless of title, be it the chief information security officer (CISO) to director of security to lead security engineer, the pressure of achieving these two mandates is intense. They have to prove return on investment (ROI), prove the value of investing into additional security solutions in spite of limited incidents, and mitigate risk at every touchpoint. As balancing acts go, security is one of the most challenging.
“Traditionally, cybersecurity professionals would have to quantify spending to line of business (LoB), and this often came down to the number of incidents in the organisation, how much malware a vendor found, and how compliant systems were, and why there were still breaches in spite of spend,” says Jayson O’Reilly, GM of cybersecurity at Atvance Intellect. “Today’s security professionals have to find better, measurable ways of quantifying this risk to the business and find a way of ensuring the data they collect from solutions, self-assessments and third-party reviews talk to cyber resilience, enabling the business and actually becoming a business enabler.”
Follow Atvance Intellect on LinkedIn for more information
One of the biggest challenges that security faces is the business silo. Cybercriminals love these isolated and vulnerable vortexes of information that don’t connect, don’t collaborate and open up vulnerabilities. Breaking down silos is one of the most important steps any business can take to improve its security posture and fully realise the value of its security investments. Security leaders need to collaborate with LoB, decision makers and third-party security service providers to find intelligent ways around the silo problem and ensure that every person within the organisation is aware of the cybersecurity threat, and how it impacts the business.
“If the business understands the adversary, then it is far more likely to recognise the value of security investments and approaches,” says O’Reilly. “Right now, most companies are focused on strategic objectives such as agile transformation and cloud- or digital-first investments. This makes it even more critical that the business understands the importance of security, that they know the risks that come with networks, cloud platforms, as-a-service solutions, and more.”
Perhaps one of the most strategic ways of putting security front and centre is to engage with a trusted third-party and ask them to verify and validate steps taken by the organisation to date to protect itself and the additional loopholes that may exist — to enter into the deepest vaults within the organisation and walk out with the proverbial crown jewels. When business leaders see how easy it is to access private and critical information, they are far more likely to pay attention when the CISO asks for budget. And the CISO needs to use this opportunity to collaborate with business to create solutions that are accessible and relevant to the business, and to establish robust security priorities.
“It can be challenging for cybersecurity professionals and the C-Suite to prioritise security – where do they even begin?” asks O’Reilly. “There is a lot to be said for engaging with a managed security service provider as they specialise in every last drop of security. Having worked in multiple environments with high-level insight into the latest technologies, risks and threats, these companies are well placed to offer advisory support and help companies prioritise risk and verify approaches.”
Once the organisation has clear steps in place, it’s far easier to get buy-in around budget, third-party involvement and security strategy — when LoB can see how security delivers a positive benefit across access, compliance and reputation, and how implementing a robust security policy can smooth over the bumps across silos. This is where security can really shift gears from grudge expense to business asset – with clear and concise business communication they can win over stakeholders and demonstrate that security isn’t an IT problem, it’s an everyone problem.
“Security, at its core, is a business enabler,” says O’Reilly. “If security professionals and the C-suite are communicating openly, then they can overcome some of the traditional loopholes that threat actors use to gain access to the organisation. Cybercriminals are enabled by the business when there’s no visibility; they just dive straight on past security controls using human error and poor security understanding as gateways to data.”
It’s critical to add tools to the business environment that ensure visibility – tools that engender trust across silos, that are accessible to users, and that can mature with the organisation. These are not an impossible dream: there are several highly agile solutions that allow for the organisation to operate securely across multiple geographies and environments and that are capable of detecting threats before they become problems — solutions that don’t inhibit LoB as it invests into applications and platforms to get the job done, but rather empower the business to stay secure and agile.
“The most important step to transforming cybersecurity within the business is to connect the business to cybersecurity,” concludes O’Reilly. “This means recognising the challenges that each side faces and implementing solutions that overcome these challenges intelligently. It’s worth working with a MSSP as a professional third-party is more than just a second pair of hands supporting the cybersecurity professional – it’s a hundred hands and eyes catching every detail, so the CISO sweats the big stuff, and the business doesn’t sweat at all.”
- This promoted content was paid for by the party concerned