Friday, December 6, 2019

Success: The Bigfoot of Cyber Security


Success can be elusive in cyber security. Elusive, in that there is often a chasm between the cyber leader’s definition of success and the expectations of the Board and/or executives. That chasm is too often explained away as “the executives don’t understand cyber security,” or, worse yet, “a cyber team can’t be successful.”



So, for some organizations, finding success is like finding Bigfoot from the light of a UFO. 



That said, the problem of finding cyber security success is largely ours to own as cyber security practitioners. A lack of understanding or mismatched expectations by executives are indicators – either something the execs care about isn’t being clearly addressed or the measures for progress aren’t meaningful. 


How can you know what the executives care about?  Look to their corporate strategy.  Frame your program’s cyber security outcomes in a way that aligns with that organizational strategy. 


Below are some examples of corporate strategy imperatives and some very simplified potential outcomes that might align with them. 


Revenue? Align with outcomes demonstrating a reduction in disruptive security incidents.

Digital Transformation? Align with outcome mapping and gap analysis of legacy security governance and tools to new cloud and appsec environments.

Maturity? Align with outcomes demonstrating the amount and impact capability building.

Building value through intellectual property? Align with outcomes related to data security objectives and controls around the intellectual property.

Preparing for IPO or acquisition? Align with certification outcomes or audit preparation.

Aggressive growth?  Align with outcomes that demonstrate an ability to scale security quickly with a minimum of additional headcount or capital expense. 


Each of these brings a different view and prioritization for messaging around the cyber security program. 


Next you’ll need to gain agreement with the Board and/or executives on the measures that demonstrate achievement of those aligned outcomes. A high level summary of that conversation would be, “here are the cyber security outcomes aligned to your strategy. We are currently measuring progress against those outcomes using [X]. Are those the right outcomes and measures or do you have recommendations for better alignment?”


Once you have agreement, report regularly on cyber security outcomes and gaps using the agreed-upon measures. If there is a gap forming obstacle to a successful outcome, this can form the basis for a future resource request. 


Now, with alignment and agreed upon measures, you should be speaking the same language as executives in terms of success. 


Bigfoot can be found. No UFO needed. 


Like what you've read enough to follow me on Twitter? @Opinionatedsec1.


SEE ALSO





No comments:

Post a Comment