Reviewing the IDC IT Security MaturityScape Benchmark for Asia Pacific report, IDC classified companies in AP (excluding Japan) into five stages of security maturity. Of those stages, the ultimate goal is ‘optimised,’ a category achieved by a mere 0.7% of the survey population.
We’ve looked at moving from surviving to thriving, which covers graduating from the lowest maturity levels. We’ve also examined the organisational status of the security function, a potential indicator of companies making their way up the maturity scale.
Now it’s time to examine what it takes to achieve excellence. What does optimised actually mean?
IDC calls the optimised CISO a predictive professional. As you might expect after reading this series, risk management plays a large part in achieving this. An optimised strategy uses risk calculations, such as understanding your attack surface and the threat landscape, to determine where your organisations risk lay, in order to predict and produce the most efficient and effective ways to manage security. This adds resilience that helps the organisation avoid, respond to and recover from breaches. It is worth noting that those who have reached the stage IDC calls ‘managed’ – one stage before optimised – also employs risk management. So what exactly is the difference between the two stages, and what should you be doing to climb to the top of the maturity scale?
Cybersecurity is a Business Issue
The difference lies in how security is positioned within the overall business context. To achieve optimisation, organisations must acknowledge and plan for the fact that cybersecurity is a business issue and not an IT issue. This requires a cultural shift that will not happen overnight, but there are steps leaders can make that will move an organisation towards optimised security.
Getting there requires that cybersecurity become part of the organisations everyday conversations.
- Develop communication workflows
- Give leadership relevant cybersecurity KPI’s that empower them to ensure that data is being handled properly
- Involve cybersecurity in business operations by ensuring security leaders have visibility of what is going on in the organisation, this ensures they can cover risk that could open up due to the organisations roadmap.
Embracing cybersecurity as a positive business differentiator puts organisations in the frame of mind to make smart risk decisions.
- Build your long-term strategy with security in mind instead of thinking of it as a reactive-only programme
- Demonstrate to your clients and prospects that you view security as a priority
- Reward positive security behaviour rather than punishing bad habits
Cybersecurity touches every aspect of your business. Commit to securing broad organisational buy-in to become more resilient in a hyper-connected world.
- Engage in ongoing, recurring communication about security
- Develop security champions in different departments
- Provide education so team members understand how security impacts them as individuals
Once you’ve made progress in these areas, it will be easier to understand the importance of truly broadening the roles and remits of the security function.
The Evolving Role of Today’s CISO
The CISO must be much more than a conduit between business and IT. While there are security fundamentals that cannot be ignored, security cannot remain in its own silo. Having the ability to approach the role from a business risk management perspective and to speak the language of business strategy is core to what the optimised CISO does.
The emphasis must expand out from purely operational concerns toward broader issues such as privacy, data management, governance and compliance. The CISO must ensure that all strategic initiatives include appropriate security measures; from third-party due diligence to international expansion to cloud migration. That could mean working with Internal audit, compliance, legal, and crisis management teams and risk councils to implement and monitor risk controls at the business level.
Buy-In from the Board
This isn’t something that the CISO can do alone. Making this change requires buy-in from the CEO and board in embedding security into the organisation’s overall business strategy. While comprehensive risk management should provide the rationale and context for this, executive management must back that up by ensuring that the security leader has the power to weigh in on any strategic undertaking that exposes the organisation to a substantial level of cybersecurity risk. Only then when will you truly be on the way to creating an organisation-wide culture of cybersecurity.
In other words, cultural shifts of this magnitude often come down to the CEO and the board. Empower security as a business enabler, and it will pay off by reducing risk that is sometimes ignored. This includes development of systems that are built with security in mind up front; closing the loop on end users and how they deal with sensitive data; and making cybersecurity a part of an organisation’s cultural spine. The reduction of risk to operational costs, impact on brand damage and the possible decrease in sales become easily demonstrable. Constrain it to a purely technical function and your chances of reaching security maturity optimisation slip away But this goes beyond placement on a scale. Security threats are evolving, and having an optimised programme in place can help your enable your business, but it also is paramount to reducing the risks associated with devastating attacks.