- Aligning organizational business objectives with security has always been challenging
- New initiatives are often kicked-off without security being a consideration
- Analyst firm finds, when security and business objectives are aligned, there are tangible business benefits
It's one of the most prolonged standing challenges in information security. That's making sure that technical and data risks are aligned with the real appetite for risk by an organization's business leaders. This is, without a doubt, a problem of priorities and communications.
Business leaders and executives don't make security a priority, too often, outside the legal demands for regulatory compliance. And the result is that applications and new digital services get built, and security isn't considered until after deployment. It can be too late or too costly to remedy software flaws or dependencies that create risk.
According to a study conducted by Forrester and commissioned by security firm Tenable, there is a sizable chasm between business and security leadership regarding managing cybersecurity risks. According to The Rise Of The business-aligned Security Executive, fewer than 50% of security leaders surveyed place cybersecurity threats within the context of specific business risks. Only half of security leaders (51%) say their security organization works with business stakeholders to align cost, performance, and risk reduction objectives with business needs. Only one in four security leaders (43%) report they regularly review the security organization's performance metrics with business stakeholders," the report said.
To make matters worse, the study found that cybersecurity is seldom fully integrated into business strategy. Only 47% of security leaders consult business executives with a high level of frequency when developing their cybersecurity strategy, and only 42% of business executives rarely — if ever — consult with security leaders when developing their organizations' business strategies, the survey found.
Of course, such a lack of cohesion leads to a lack of transparency and reduces organizations' ability to quantify their risks. The survey found that only 44% of security leaders apply business risk management objectives to vulnerability prioritization. "Just over half of security leaders report that their security organization has a holistic understanding and assessment of the organization's entire attack surface, and fewer than 50% of security organizations are using threat metrics that incorporate business risk context to measure their organizations' cyber risk," the report found.
The report wasn't all bad news. According to Forrester, when security and business objectives are aligned contextually, tangible results can be achieved. "The business-aligned security leader is eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations' level of security or risk," Forrester concluded.
According to the report, security leaders aligned with business leaders are more likely to keep their cybersecurity efforts aligned with business objectives. "Business-aligned security leaders ensure their strategies are in lockstep with business priorities. They collaborate with business leaders to develop strategies and metrics to support organizational goals and inform, set, and make decisions related to business strategies. To that end, eight out of 10 business-aligned security leaders say they have a business information security officer (BISO) or a similar executive to ensure each line of business works to minimize risk, maximize protection, and increase the value of the organization's business information assets, the report said.
What makes business-aligned security leaders successful is their ability to communicate the value of the security program. "In this unprecedented climate of economic uncertainty, security leaders must also be ready to demonstrate the impact of cybersecurity investments. Strategies and practices built around understanding business risk give business-aligned leaders confidence in their ability to demonstrate the impact of cybersecurity investments. Most business-aligned security leaders are very or completely confident in their ability to demonstrate that their cybersecurity investments are positively impacting their business performance compared with just over half of their more reactive and siloed counterparts. This confidence is, in part, rooted in their use of metrics to track cybersecurity ROI and impact on business performance," the report said.
The report found that 85% of business-aligned security leaders have metrics to track cybersecurity ROI and impact business performance versus just 25% of their more reactive and siloed peers.
There's more on what Forrester means by the business-aligned security leader in the report, which is available here.