Why are security and business goals at odds with each other?

Few jobs are more challenging than that of a CISO. Constantly on call and under intense pressure, they’re not only keeping critical systems running and sensitive data protected, but also working to uphold a rapidly evolving list of regulatory demands.

Yet CISOs and their teams do much more than act as the company ‘bodyguard’. They add significant business value that enables the organisation to grow and evolve safely; they also provide a route to delivering real competitive advantage without compromising security.

Although, to do this successfully, CISOs must be empowered with the resources and budget they need to protect the business.

CISOs report difficulties in articulating their success with others in the organisation

But all too often CISOs feel detached from the wider business goals, and they report difficulties in articulating their success with others in the organisation. To rectify this, they need to have a “business-first” approach. This means communicating with non-IT professionals, such as the C-suite, in language that’s jargon-free and business orientated, and making security decisions based on how they will impact their firm.

IT security disconnected from wider business goals

A global cyber security study by Thycotic of more than 500 IT security decision makers, including 100 UK respondents, revealed that nearly half of respondents (44 percent) believed their organisation had difficulty connecting the dots between IT security initiatives and the wider business goals. This is unsurprising given that more than a third (35 percent) are unclear as to what these goals are.

The issue of poor visibility of goals is not a one-way street. Our research also shows that IT security teams can have difficulty demonstrating the value of their work to others in the organisation. Around four in ten (39 percent) respondents admitted that they are unable to measure the effect that previous security initiatives have had on their business.

However, the ability to demonstrate success in terms of value to the business is exactly what a board needs to see if they’re going to make informed decisions on how much they should invest in IT security. Nearly half of those surveyed (47 percent) said that the biggest difference to how IT security budget is allocated is evidence of the success and ROI of previous security initiatives.

Communication can be a serious issue. IT security teams are often disconnected from the rest of the organisation. This is understandable; the pressures of having to keep an organisation safe from cyber-criminals or malicious employees, keeping critical systems running and meeting regulatory demands, means that cyber security teams are often over-stretched. In our survey, more than a third of respondents (36 percent) said that they had little idea how other departments measured success, while around the same number (38 percent) state that they don’t have business goals communicated to them.

This is not only bad news for IT security, but the organisation as a whole.

Connecting security with the rest of the business

The change must come from within: by taking a “business first” approach, CISOs can demonstrate their value to the wider organisation.

To achieve this, CISOs must tune in to the priorities of others in the business and find out what they consider to be measures of success. Then, using this knowledge they can demonstrate how the technology they are implementing makes the organisation more secure and helps others meet their goals.

By taking a business first approach CISOs will be able to get board buy-in for further security initiatives

The CISO should be able to explain to the board, in the kind of business language they understand, what the security department is doing to protect the revenue of the company—in effect becoming the “Chief Revenue Protection Officer”. They should avoid using “vanity metrics” such as the number of vulnerabilities patched or threats blocked as these can confuse non-technical colleagues. By taking this business first approach CISOs will be able to get board buy-in for further security improvements and initiatives.

To get broader support from colleagues, a company-wide IT security program should be implemented to foster awareness around what’s being done to tackle key security issues. This includes the appointment of “Cyber Ambassadors” who are able to turn technical jargon into plain English to help inform others of the security team’s goals, as well as building organisation-wide co-operation to forewarn of any suspicious activity, such as phishing attempts.

Ultimately, great cyber security is reliant on great communication. This is necessary not only to let colleagues know about potential risks, but also to ensure that security teams are empowered with the right resources to protect the business.