Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 블로그

구독

5 Steps for Becoming a Business-Aligned Cybersecurity Leader

Independent business risk study shows when security and the business are aligned around agreed-upon contextual data, they deliver demonstrable results. Here's how to get there.

Folks, cybersecurity is broken. Security leaders are drowning in data. We can tell you how many vulnerabilities there are. We can tell you how many patches we've deployed. We can recite chapter and verse on the latest threats. Yet, with all this information at our disposal, most of us struggle to answer the question “How secure, or at risk, are we?" with a high degree of confidence.

Why? Because we're missing one key piece of information: business context.

The typical equation we use to calculate an organization's level of security or risk is a function of  assets, security controls, threats and vulnerabilities. Without business context — understanding which assets are most critical to the core value proposition of your business and which security controls are in effect for each of those assets — the results of any security risk calculations are incomplete, at best.

But security leaders can't arrive at an understanding of business context by working in a silo. It requires a level of strategic alignment between business and cybersecurity leaders that is lacking in most organizations. Indeed, a commissioned study conducted by Forrester Consulting on behalf of Tenable shows significant disconnect between business and security. According to the study, which is based on a survey of 416 security and 425 business executives, just 54% of security leaders and 42% of business executives say their cybersecurity strategies are completely or closely aligned with business goals. Less than half of security leaders surveyed say they consult business leaders with a high level of frequency when developing their cybersecurity strategy. Even worse, four out of 10 business executives rarely — if ever — consult with security leaders when developing their organizations' business strategies.

"The biggest challenge may be to make business owners get interested and understand that they should be the ones owning cybersecurity risks," said Jose Maria Labernia Salvador, head of IT security and internal control at LafargeHolcim IT EMEA in Madrid, in an interview with Tenable. “Cybersecurity is a business-related topic with a strong IT component. IT can support and guide, but business stakeholders and senior management are a core component in the equation."

The Forrester study shows that when business and security are aligned, they deliver demonstrable results. For example, business-aligned security leaders are:

  • Prepared to report on security and risk. The business-aligned security leader is eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations' level of security or risk.
  • Ready to show ROI on their security initiatives. The vast majority of business-aligned security leaders (85%) have metrics to track cybersecurity ROI and impact on business performance compared with just 25% of their more reactive and siloed peers.
  • Equipped with a defined benchmarking process. Nearly nine out of 10 business-aligned security leaders (86%) have a process that clearly articulates expectations and demonstrates continuous process improvement relative to peer companies and/or internal groups. Only 32% of their non-aligned peers can say the same.

That's not to say responsibility for achieving alignment falls squarely on the shoulders of the security leader. Some organizations are culturally inclined to create silos. No matter how much effort you put into it, if you work for one of these organizations you may always struggle to align with your business counterparts.

If you're not sure where your organization falls on the alignment continuum, there's one quick way to tell: If you have an executive with the title of Business Information Security Officer then your organization falls on the more mature end of the alignment scale. According to the Forrester study, the vast majority of business-aligned organizations (80%) have a Business Information Security Officer (BISO) or similar title, compared with only 35% of their less-aligned counterparts.

How to become a business-aligned cybersecurity leader

If you're lucky enough to work for an organization where the business-cyber alignment is already relatively mature, then your path to becoming a business-aligned security leader will be fairly clear, even if it does require considerable effort to navigate. But if you happen to work for an organization on the lower end of the alignment-maturity scale, your journey will be far more challenging. Since there's no one-size-fits-all approach, I've tailored the following guidelines with three options, based on level of alignment maturity, in hopes that one of these options will present a starting place that works for you.

Five steps to improve alignment with your business stakeholders at each level of organizational maturity

Step Least aligned Moderately aligned Highly aligned
Step 1: Make sure you understand your organization's business objectives for the year. You'll most likely need to do your own research, looking to public-facing documents, such as earnings forecasts and financial statements, to develop a reasonably clear picture of organizational priorities. This step may require plugging into VP-level leadership calls, tuning into your organization's all-hands meetings and looking for other ways to assimilate with your business colleagues. You already have — or will need to work on obtaining — a seat at weekly meetings held by your executive staff and you are regularly asked to present to the board. These activities give you exposure to key business objectives.
Step 2: Consider how those business objectives shape technology decisions. You may have to rely on connections with colleagues across the enterprise to help you develop a picture of your most critical systems and assets. In particular, pay attention to outages and incidents to sniff out areas that have perceived importance. You may need to do some legwork by setting up calls with VPs or other line-of-business leaders to get up to speed on which systems matter most. You can conduct a business impact assessment by surveying your key business executives to gain a clear understanding of which systems are most critical to the day-to-day running of your organization.
Step 3: Work with business stakeholders to ensure your cybersecurity metrics incorporate business context. You may have to resort to external sources, such as industry events, case studies or networking groups, to develop a bird's eye view of common business needs and key security metrics and make an educated guess about which ones work for your organization. You may not have access to senior executives who can help you define the business context. You'll need to build connections with directors or line-of-business leaders and consult with industry peers to help you develop an understanding of which metrics make the most sense to your organization. This step is as much about knowing the right questions to ask as it is about identifying a small number of metrics that are most meaningful for your enterprise.
Step 4: Prioritize your cybersecurity processes based on the learnings you've gained from the above steps. Begin by assessing the gaps in your process — such as a lack of asset criticality data — and develop a roadmap for how you'll fill each gap over time. You can start to integrate asset criticality data with threat and vulnerability data to move toward a more risk-based approach. Make use of automation and apply business risk management objectives to threat and vulnerability prioritization practices using a predictive approach.
Step 5: Communicate using benchmarks that make sense to your business stakeholders. Consider working with outside advisors to help you develop your business-savvy language skills. In the process, you will likely uplevel your business leaders' regard for assessing not only risk, but the business itself. You may need to rely on your powers of observation; be mindful of the language your business colleagues use and tailor your communications accordingly. Even in a highly aligned organization, the subjectivity of existing frameworks and the lack of industry consensus about key risk indicators can make this step a challenge. Still, if you've already got a high degree of organizational alignment, your C-level peers will likely welcome a candid conversation about what they need to know — and what you can omit — in your reports.

Source: Tenable, September 2020

Regardless of where your organization falls on the alignment-maturity continuum, you'll do well to follow the advice of Kevin Kerr, CISO of Oak Ridge National Laboratory in Oak Ridge, TN. In an interview with Tenable, Kerr advised:  "The CISO news to get out from behind their desk and walk around. Talk to people. Learn people's concerns and objectives at the various levels — bottom to top. Understand what's going on. Don't listen only to your IT people, because they're jaded from their IT point of view. Go see what's going on from the business point of view and listen." Of course, in the current COVID-19 pandemic you may have to perform such a walkabout virtually. But whether it's done face-to-face or via Zoom, the effort will benefit your organization and your career. "It gets your name around," said Kerr. “If people know you're there to help them figure out the best way to do what they want while still protecting the organization, they'll welcome your participation. I never want to be the 'no' in 'innovate.' "

Becoming a business-aligned cybersecurity leader is a marathon, not a sprint. It requires learning how to speak the languages of business and technology with equal fluency. But, as the Forrester study notes, “modern security threats require a new approach." The future belongs to the security leaders who are ready to manage cybersecurity as a business risk.

Read the blog series: How to Become a Business-Aligned Cybersecurity Leader

Blogs in this series focused on the challenges of aligning cybersecurity and business and why cybersecurity leaders struggle to answer the question "how secure, or at risk, are we?". We also examined what COVID-19 response strategies reveal about the business-cyber disconnect, discussed why existing cybersecurity metrics fall short when communicating cyber risk, explored five steps for achieving alignment with the business and provided a view into a day in the life of a business-aligned cybersecurity leader.

자세히 알아보기:

관련 기사

도움이 되는 사이버 보안 뉴스

이메일을 입력하여 Tenable 전문가에게서 적시에 알림을 받고 보안 참고 자료를 놓치지 마십시오.

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable Vulnerability Management 평가판은 전 세계를 대상으로(UAE 제외) 만들어졌으며 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구입하십시오.

100 자산

구독 옵션 선택:

지금 구입

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable Vulnerability Management 평가판은 전 세계를 대상으로(UAE 제외) 만들어졌으며 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구입하십시오.

100 자산

구독 옵션 선택:

지금 구입

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable Vulnerability Management 평가판은 전 세계를 대상으로(UAE 제외) 만들어졌으며 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구입하십시오.

100 자산

구독 옵션 선택:

지금 구입

Tenable Web App Scanning 사용해보기

Tenable One - 위험 노출 관리 플랫폼의 일부분으로 최근의 애플리케이션을 위해 설계한 최신 웹 애플리케이션 제공 전체 기능에 액세스하십시오. 많은 수작업이나 중요한 웹 애플리케이션 중단 없이, 높은 정확도로 전체 온라인 포트폴리오의 취약성을 안전하게 스캔합니다. 지금 등록하십시오.

Tenable Tenable Web App Scanning 평가판은 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Web App Scanning 구입

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구입하십시오.

5개 FQDN

$3,578

지금 구입

Tenable Lumin 사용해 보기

Tenable Lumin으로 위험 노출 관리를 시각화하여 파악하고 시간에 걸쳐 위험 감소를 추적하고 유사한 조직과 대비하여 벤치마킹하십시오.

Tenable Lumin 평가판은 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Lumin 구입

영업 담당자에게 문의하여 어떻게 Tenable Lumin이 전체 조직에 대한 통찰을 얻고 사이버 위험을 관리하는 도움이 되는지 알아보십시오.

무료로 Tenable Nessus Professional 사용해보기

7일 동안 무료

Tenable Nessus는 현재 구입 가능한 가장 종합적인 취약성 스캐너입니다.

신규 - Tenable Nessus Expert
지금 사용 가능

Nessus Expert는 외부 공격 표면 스캔닝과 같은 더 많은 기능 및 도메인을 추가하고 클라우드 인프라를 스캔하는 기능을 추가합니다. 여기를 클릭하여 Nessus Expert를 사용해보십시오.

아래 양식을 작성하여 Nessus Pro 평가판을 사용해보십시오.

Tenable Nessus Professional 구입

Tenable Nessus는 현재 구입 가능한 가장 종합적인 취약성 스캐너입니다. Tenable Nessus Professional은 취약성 스캔 절차를 자동화하고 컴플라이언스 주기의 시간을 절약하고 IT 팀과 참여할 수 있도록 합니다.

여러 해 라이선스를 구입하여 절감하십시오. 연중무휴 전화, 커뮤니티 및 채팅 지원에 액세스하려면 Advanced 지원을 추가하십시오.

라이선스 선택

여러 해 라이선스를 구입하여 절감하십시오.

지원 및 교육 추가

무료로 Tenable Nessus Expert 사용해보기

7일간 무료

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

이미 Tenable Nessus Professional을 보유하고 계십니까?
7일간 Nessus Expert로 무료 업그레이드하십시오.

Tenable Nessus Expert 구입

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

라이선스 선택

여러 해 라이선스를 구입하여 비용을 더 절감하십시오.

지원 및 교육 추가