Today’s information security leaders are quickly maturing into strategic business thinkers, growing beyond the traditional technical purpose of initiatives like implementing the latest firewalls or malware detection tools. The days of the CISO who is exclusively a highly-qualified network engineer have come to an end. Instead, the effective modern-day CISO has that strong technology foundation, but also holds a much deeper understanding of the business goals and needs.

Need some assistance building a holistic strategy that positions you to respond to today’s threats? Click here to learn more.

In any business—from our healthcare systems to our financial institutions—we must identify the link between information security and business requirements.  But to take it one step further, we must also show the link between security vulnerabilities and the risks as they relate to risks to the business itself.

A pioneering security leader must develop an enterprise-level understanding of the risks for every possible type of cyber-attack and organizational threat. But beyond that, he or she must have the necessary skills to communicate these risks to technical stakeholders, leadership and the board of directors as well. As a best practice, each and every security control that is instituted should be linked back to a business requirement or a business risk that needs to be addressed.

For example, executive leaders often place great effort on and set corporate goals around increasing cost-efficiencies. By aligning access control solutions to this goal—like smart cards or biometrics—security leaders can create tremendous organizational efficiencies by allowing help desks to significantly reduce their password management overhead. In turn, this gives the CISO the critical information he/she needs to begin educating board members about the costs of these risks. A major focus and effort should be devoted to understanding your executive team’s “risk appetite.” Then, and only then, can clear security driven performance metrics be defined.

Is your security strategy where it needs to be? Read our data and network maturity model white paper to help you measure adoption of the latest tech and strategies.

Traditional thought processes suggest that compliance is what drives the CISO towards comprehensive Governance, Risk and Compliance (GRC).  We must rethink this parochial practice. GRC is continuously changing and improving and it is doing so at an incredibly rapid pace.  While our security leaders agree that GRC plays a key role in their organizations, the motivation for investment has shifted tremendously from compliance to risk management. Compliance has now become table stakes.

To build a security-focused culture and future for our organizations, our most successful security leaders must be ready to spend more of their time and resources on setting a security strategy and advising the business on risk. We must have the courage and commitment to be risk leaders—guiding leadership and the board in setting the “risk appetite” that falls directly in line with their strategic goals.

In closing, we must continuously ask the most important questions, such as:

  • How much would our security nirvana cost?
  • How much security investment can my organization afford?
  • What risks is the organization willing to take?