CISO: adopt a common business language to report on cybersecurity

0

Join the Leaders July 26-28 for Transform’s AI & Edge Week. Hear high-level leaders discuss topics around AL/ML technology, conversational AI, IVA, NLP, Edge, and more. Book your free pass now!


The U.S. Securities and Exchange Commission (SEC) recently released proposed updated rules regarding cybersecurity risk management, program management, strategy, governance, and incident disclosure for public companies subject to the reporting requirements of the Securities Exchange Act of 1934. Accordingly, the SEC may amend previous guidance on disclosure obligations relating to cyber security risks and cyber incidents to include processes that require organizations to inform investors about the management a company’s risk management, strategy and governance in a timely manner for any significant cybersecurity incident.

To effectively manage communication with the C-suite and the board, security managers must communicate and report on cybersecurity efforts in the language of the business.

Over the past two years, security breaches have increased as digital transformation has rapidly increased, extended and affected business models, customer experiences, products and operations. Now a top business risk category for many companies, cybersecurity is increasingly at the center of attention and conversation at the board and executive level.

And, as the role of the Chief Information Security Officer (CISO) has grown significantly, not only protecting technology, but all data, intellectual property and business processes, companies are recognizing the need for the CISO to have increased access to the C-level and the board of directors to help with business decisions.

The challenge, however, is that often security managers traditionally communicate in technical and operational terms that are difficult for business leaders to understand. To be effective, CISOs must adopt a comprehensive Security Program Management (SPM) strategy. This approach will support the ability to communicate and report on cybersecurity efforts consistently in business terms, using results-based language, and connect security program management to their company’s key priorities and objectives.

What is Cybersecurity Security Program Management (SPM)?

SPM reflects modern cybersecurity practices and support areas. This approach supports a common language that can be applied across industries and understood by technical and non-technical executives, while adapting and changing business outcomes, technology, and the threat landscape.

However, for SPM to be successful, the security industry must refocus compliance frameworks to SPM methodologies that are continually updated and maintained throughout the year. This approach will expand business knowledge on key elements and technologies of a modern cybersecurity program, such as application security, cloud security, account takeover, and fraud.

SPM has proven effective in guiding security managers to continuously measure, optimize and communicate the needs and results of their programs. In fact, SPM consistency has proven to provide continuity for security programs – even when people may change roles – and for reporting, ensuring metrics are accurate and reliable.

Despite the elevation of cybersecurity as a top priority and concern of the board, companies must address the “elephant in the room” – the failure of communication and common understanding among CISOs , safety programs and their boards’ understanding of SPM. According to research by Ponemon, organizations recognize that only a small percentage of their security teams are effective when communicating security program policies and risks to the board.

CISO: Cybersecurity support starts at the top

It can be described in two parts. First, the board needs to understand the biggest risks to revenue – cyberattacks don’t come cheap. Cyberattacks can pose a costly threat to businesses. Yet few companies can communicate the effectiveness of their security program to executives and the board in business terms that can be quickly understood.

Second, communication must be consistent across the organization. We need to adopt business language and terms from business unit to business unit. For example, when comparing two business units, one may generate revenue, but the other may not because the second business unit may play a supporting role for the business. The security program may be optimal in the first business unit but not in the second.

Why not? When speaking with executives and the board, the security manager must speak at a level that their stakeholders understand in order to be aware of what a comprehensive security program will reveal. Providing relevant and understandable information about SPM and its progress both up and down the ladder – to peers, teams, the C-suite and the board is essential.

Compliance and cybersecurity: they are not equal

There is no quick fix to fix all security issues. Over the years, organizations have implemented various strategies to stay compliant. Although compliance is not as comprehensive as a security program: it may focus only on certain people, processes, technologies and assets that are affected by a particular compliance effort.

Others have implemented SPM to increase transparency and help C-level and board members better understand and assess the maturity and completeness of a company’s cybersecurity program, and therefore relative levels of security. exposure to the risks faced by companies.

Ultimately, CISOs are hired to protect company data, applications, infrastructure, and intellectual property (IP). As businesses move forward in the 2000s, the focus is on data as the new currency – we need to embrace SPM in order to be successful in accounting for our cybersecurity efforts.

Make a difference for the company

Gartner predicts that by 2025, 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member. At the board, executive, and security team levels, this is one of many organizational changes that Gartner plans to expand due to the greater risk exposure resulting from the transformation. digital during the pandemic.

To lead effectively, the security manager must have decades of experience in security programs, have previously reported directly to a board of directors, become an independent board advisor or observer, and possess certifications. reputable security. With these qualifications covered, the CISO will have the business acumen and support to get the job done.

As a key advisor to the board of directors, a Chief Security Officer will help raise awareness of the financial, regulatory, and reputational consequences of cyberattacks, breaches, and data loss and be central to risk planning and Security. These discussions will ensure that risks are reviewed, funded or accepted as part of the organization’s business strategy.

Demetrios “Laz” Lazarikos is a 3x CISO, the president and co-founder of Blue Lava.

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including data technicians, can share data insights and innovations.

If you want to learn more about cutting-edge insights and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.

You might even consider writing your own article!

Learn more about DataDecisionMakers

Share.

Comments are closed.