In today’s world, it’s impossible to decouple running a well-oiled business operation from mitigating cybersecurity risks. Yet, all too often in security, practitioners find that straddling business needs and attending to the technicalities of security is a mammoth challenge. Security is obviously a technical field, but its priorities and objectives must closely mirror that of the business’s goals to be valuable. It’s no longer acceptable to practice cybersecurity for security’s sake, but finding alignment with organizational peers can be difficult.
To help security leaders find new ways to better align with business colleagues, Infosec Insider turned to two experts—Devon Bryan, CISO of the Federal Reserve; and Chuck Kesler, CISO at Duke Health—to find out how they’re constantly maneuvering between technical requirements and fueling business priorities.
Determining the business’s goals
“As taught in Security 101,” says Kesler, “it starts at the executive layer. You have to engage the board, the CEO, and others at the C-level.” Security is one facet of the business, but it isn’t the determining factor for how the business will run. Because of this reality, Kesler worked with his colleague in Duke Health’s Compliance and Privacy office to establish a governance committee that incorporates operational leaders from across the organization. This committee provides a platform for executive-level discussions of risks and business needs, which in turn allows for a balanced approach to prioritizing security initiatives and making policy decisions.
In the context of healthcare, where lives can literally be on the line if the mistakes are big enough, Kesler thinks of his CISO role as one of an advisor and educator that helps his leadership make informed decisions around risk trade-offs. Kesler says he’s always trying to look at security from the perspective of a doctor or patient and view the benefits, obstacles, and impacts of a cybersecurity decision from their perspective. He can only do this, though, if he’s taken the time to have a two-way conversation with stakeholders. For example, he points out that “a poorly implemented security measure could have a significant impact on clinical workflows, and likewise, the failure to address a security risk could impact the operation of clinical systems that are critical for delivering care. These are complex decisions, and we have to take the time to understand the impacts on both sides to get it right.”
Though his role and responsibilities as head of cybersecurity for the core IT infrastructure of the U.S. central banking system. are very different from Kesler’s, Bryan agrees that security teams must realize that “It takes the proper balance of threat-driven, risk-based trade-offs to make sure that cybersecurity programs, policies, and strategies enable business to go further, faster.” He says that CISOs and other heads of security programs must be constantly mindful that “the go-to-market strategies of modern business is now also IT-centric and is synonymous with staggering volumes of very sensitive information constantly processed in real time across intricately connected, and increasingly global, high-speed data networks.” To this end, Bryan, like Kesler, consistently speaks with business colleagues to learn about customer needs and what, from the business’s perspective, will “enhance business strategies.”
Ensuring Alignment with business goals
To accomplish alignment, Bryan insists that it is imperative for CISOs to “prioritize partnerships with business units as principal component” of the security strategy. “True partnership goes beyond making sure we are working closely with the business and the IT teams on internal initiatives. CISOs need to partner to ensure customer needs and expectations are met and go-to-market strategies are supported.” He says that, at a practical level, this means CISOs and their security teams must have a firm grasp on market trends, major disruptors (e.g., cloud, mobile, IoT, social, data analytics), and business plans. If, for instance, the business decides to develop a mobile app or roll out a new social platform for customers, the security team must be aware of these plans. Security can only achieve this, though, if they have done the hard work of developing personal relationships outside of the security team.
Kesler agrees and says that security teams must remember that, even when it comes to security decisions, “it’s not just the security team in the ivory tower saying, ‘you’ve got to do this.’ You have to spend time on the ‘people’ part of the people, process, and technology equation to get the buy-in for an initiative to be successfully implemented.” For Kesler, this means leaning on his governance committee and incorporating their feedback and concerns. In addition, Duke Health uses a process they call “rounding,” where leaders from various lines of business participate in others’ team meetings so they understand and have visibility into each other’s initiatives. “Building relationships is important,” he says, “and our rounding program provides me and my team the opportunity to have a dialog with many people throughout the organization that we otherwise might not talk to.”
Communicating and tracking goals
Regardless of how well the CISO understands the business’s goals, it’s all for naught if that information does not trickle down to the people on the security team. For security programs and projects to be effective, the people with hands-on-keyboards need to know the goals they’re working towards. Conversely, executives/board members need to learn the risks and opportunities associated with the security team’s actions (or inactions, in some cases).
To ensure alignment with the business, Kesler works with others throughout the organization to ensure that the security program’s goals are tied back to overall IT and business-level goals. Through this cascading series of business, IT, and security goals, it becomes easier to explain how a security initiative can help the business achieve its goals. Kesler gave the following example: “One business goal might be to increase patient engagement. The associated IT goal to support that is to provide patients with online access to services. Providing that patient portal requires security to effectively identify and manage vulnerabilities associated with it. Therefore, we need to be able to explain why a vulnerability management initiative is critical to achieving that patient engagement business goal.”
Bryan takes a slightly different approach. He says, “The most straightforward and tactical approach to force alignment is by ensuring that annual performance ratings and bonus targets include specific measurable objectives for business value enablement. The more effective and longer lasting approach is to drive a cultural change to ensure the organization’s cybersecurity practitioners have clear line of sight to the business missions of their organizations, and how their threat-driven and risk-based initiatives, directly and indirectly, ensure mission success.”
Kesler agrees it's important to share goals with the business. Alongside leadership and IT C-level colleagues, he establishes two or three shared annual performance goals related to critical security initiatives every year. “By having these performance goals documented," he says, "it keeps security on everyone's radar, and naturally creates opportunities to check in on progress then adjust priorities and resources based on lessons learned.”
Avoiding common pitfalls
There is no doubt that meshing security strategies and operations with business objectives and priorities is a test of fortitude. The reality is that sometimes practicing good security does slow people and processes down. However, avoiding a massive security incident through strong security is a business enabler. This is precisely where many security teams get hung up: in the crosshairs of security vs. agility.
Bryan says CISOs must move away from an approach to security that is tactical and based on compliance mandates. After all, every big-name company that’s been majorly breached his been compliant. Instead, Bryan urges security leaders to remember that, “The role of the CISO has dramatically changed from what it was years ago. CISOs must evolve into business leaders and spend more time with the organization’s major line of business leaders including legal, technology, HR, and finance, and also potentially with customers as well.”
Kesler concurs, saying, “Relationships and a focus on customer service are so important. It is critical for CISOs and their teams to build a level trust with stakeholders and customers that allows for transparency and collaboration. Failure to do so will likely lead to others trying to bypass the security office.” Working together to find an acceptable compromise, though, is not simple, he iterates. It takes dedicated time and effort, and the CISO must remember that their role is to advise and educate so the CEO or board can determine acceptable levels of risk.
Interested in learning more about leadership from Chuck and Devon? Both experts will be presenting at InfoSec World 2018 in Orlando, Florida. Here's a look at the full agenda.