Let's face it, CISOs have a tough job.
They have all the responsibilities of being in the C-Suite but often left out of discussions at that level.
They are on the hook to protect the company from a constantly changing risk environment that comes with adaptable threats. They are one of the first groups looked at when cost cuts must be made, and proving a business case for risk reduction is always an uphill battle. We want to look at some methods that can be used to help the CISO and all security practitioners win the battle to secure their company. In this three-part series, we will cover:
• How to establish your base •
• How to build on your risk story •
• How to seal the deal •
Maybe your program is further along, and you might need to jump to #3, but it's always good to go back over and make sure you didn't miss anything
Establishing your base is about knowing where your security program is, your company's goals (besides making a profit), and your roadblocks to achieving security. Let's start with what I like to refer to as my polka dot theory. When a new CISO comes into an organization, they are typically faced with uncertainty. Like will they get the support they need, what does the team look like, and do they have the right skills, or does the program adequately cover the risks? What you typically see is a bunch of pieces of security, some of the skills you need, and some of the support you need, but none of it is connected, none of it necessarily working together, thus a bunch of dotted islands working on security but not necessarily in harmony or in cooperation with each other. Polka dots.To bridge the gap between the dots, you need to understand each of them better and do this with an assessment, but before you do that, you need to establish your high-level guidance. For example, do you use ISO 27001, which is more governance-based, or NIST, which is more risk-based, to establish your core framework? Then, choosing the right kind of assessment, which historically meant a one-off analysis of your program, would spit out what is wrong and give you some high-level direction on how to address it. Newer programs can help you assess and give you that same guidance but also
CISOs have a tough job. They have all the responsibilities of being in the C-Suite but often are left out of discussions at that level. They are on the hook to protect the company from a constantly changing risk environment that comes with adaptable threats. They are one of the first groups looked at when cost cuts must be made, and proving a business case for risk reduction is always an uphill battle.
Establishing your base is the first step to proving you are doing an excellent job as a CISO. This means understanding your security program, company goals, and roadblocks to achieving security.
• Assess your security program:
What is working well? What needs improvement?
• Understand your company's goals:
What are the company's top priorities? How can security help the company achieve its goals?
• Identify your roadblocks:
What are the biggest challenges you face in achieving your security goals?
Once you have established your base, you can build on your risk story. This is about communicating the value of your security program to the business.
Make a business case for your security program: Create a visual representation of your security maturity roadmap with all the proposed projects' priorities ranked on a timeline.
Build relationships with key stakeholders: Get to know the people who decide about security funding and resources.
Be prepared to negotiate: You may not get everything you want, but you should be able to get enough to make a difference.
The final step is to seal the deal. This is about getting the support you need and showing your progress.
Reassess the risks:Periodically assess what has improved or threats that have changed since the last report.
Highlight the benefits of your program:Show your progress and how each part of it has reduced the risk to the company.
Communicate your risks and mitigation strategies to the board:Keep the board informed of the company's cybersecurity risks and which controls mitigate them.
ADDITIONAL TIPS• Be proactive:
Don't wait for a security breach before taking action.
• Be transparent:
Communicate your risks and mitigation strategies openly and honestly.
• Be a team player:
Work with other departments to achieve your security goals.
INSIGHTS• The cost of a data breach is on the rise:
The average data breach cost in 2023 was $4.35 million, up 12% from 2022.
• Cybersecurity is a top priority for businesses:
68% of companies say that cybersecurity is a top priority for their organization.
• CISOs are playing an increasingly important role in the business:
CISOs are now being brought into discussions at the C-level and asked to provide strategic advice on cybersecurity.