Success can be elusive in cyber security. Elusive, in that
there is often a chasm between the cyber leader’s definition of success and the
expectations of the Board and/or executives. That chasm is too often explained away
as “the executives don’t understand cyber security,” or, worse yet, “a cyber
team can’t be successful.”
So, for some organizations, finding success is like finding
Bigfoot from the light of a UFO.
That said, the problem of finding cyber security success is largely
ours to own as cyber security practitioners. A lack of understanding or
mismatched expectations by executives are indicators – either something the
execs care about isn’t being clearly addressed or the measures for progress aren’t
meaningful.
How can you know what the executives care about? Look to their corporate strategy. Frame your program’s cyber security outcomes in
a way that aligns with that organizational strategy.
Below are some examples of corporate strategy imperatives
and some very simplified potential outcomes that might align with them.
Revenue? Align
with outcomes demonstrating a reduction in disruptive security incidents.
Digital
Transformation? Align with outcome mapping and gap analysis of legacy security
governance and tools to new cloud and appsec environments.
Maturity? Align
with outcomes demonstrating the amount and impact capability building.
Building value
through intellectual property? Align with outcomes related to data security
objectives and controls around the intellectual property.
Preparing for IPO or acquisition?
Align with certification outcomes or audit preparation.
Aggressive growth? Align with outcomes that demonstrate an
ability to scale security quickly with a minimum of additional headcount or
capital expense.
Each of these brings a different view and prioritization for
messaging around the cyber security program.
Next you’ll need to gain agreement with the Board and/or
executives on the measures that demonstrate achievement of those aligned
outcomes. A high level summary of that conversation would be, “here are the cyber
security outcomes aligned to your strategy. We are currently measuring progress
against those outcomes using [X]. Are those the right outcomes and measures or
do you have recommendations for better alignment?”
Once you have agreement, report regularly on cyber security outcomes and gaps using the
agreed-upon measures. If there is a gap forming obstacle to a successful
outcome, this can form the basis for a future resource request.
Now, with alignment and agreed upon measures, you should be
speaking the same language as executives in terms of success.
Bigfoot can be found. No UFO needed.
Like what you've read
enough to follow me on Twitter? @Opinionatedsec1.
SEE ALSO
No comments:
Post a Comment