The recently released F5 and Ponemon report, “The Evolving Role of CISOs and their Importance to the Business,” unearthed some disconcerting results about CISO effectiveness. In particular, the following survey question spoke to this point specifically:
Are security operations aligned with business objectives?
- Fully – 26%
- Partially – 34%
- Not – 40%
Surprisingly, only a quarter of respondents fully agreed. If security isn’t aligned with the business objectives of the organization, then does the security program exist in and of itself? If that’s the case, how much traction do you think a security program will get? Security must always exist in a context to something else, and that context is the organization’s business objectives.
Maybe one reason so many security programs aren’t aligned with the business is that, according to the same survey, only 16% of CISOs have a business background. If you’re not in that group and are struggling to align your security program with the business, here are some things you can do.
Understand the Business
To build a security program that matches business objectives, you first have to understand the business. How do you do this? By asking questions and doing your homework—not just about your organization but about your industry sector, as well.
You should clearly understand your organization’s d’être (reason for existing). What is unique about your organization? Who are your customers? (Note that even non-profit government agencies have “customers”—that includes anyone your organization serves as part of its mission.) Who does the organization serve? Who are the biggest customers and what do they want? What do they expect? Who are the key partners? What do they expect? How does your business compare in all of these aspects to others in your industry sector?
The next important step is to understand how revenue flows into your organization. Is it constant, cyclical, or tied to sales? How does it lose revenue? Are there cash reserves for rainy days?
From there, determine what assets you need to protect. What does the organization want to keep secret? What parts of the organization must never be tampered with? (Hint: this should always include the financial system.) What functions must always keep running? Is it critical that the website is always up? What do employees need to do their job? What information do they need; what systems? What happens if they don’t get those things? Also, what regulations must the organization abide by? What critical contracts must be fulfilled?
Next, be sure you understand the biggest challenges the organization faces. Is it growth? Survival? New markets? Changing regulations? Competition? Shrinking customer base? Shrinking budget from legislature?
What are the major organizational processes? How does the organization circulate information internally?
What physical locations does the organization use? Not just the offices and factories, but warehouses, offsite storage facilities, parking lots, and rented temporary offices.
What technology is in use now? Before? Planned for later? What problem is each of them intended to solve? Are they working effectively? Do they need to be upgraded or replaced?
Leverage the Business Understanding
Now that you’ve done your homework, you can use this information to get buy-in on risk reduction programs. Remember that when a security incident occurs, it can have many different kinds of impacts: loss of customer confidence, reduction in sales advantage, regulator fines, operational overhead, and loss of competitive advantage due to breached trade secrets. Find the hot buttons and push them. Gene Kim, co-founder of Tripwire, wrote a great example of how he would have framed an IT failure as a business risk:
“From what we can tell, we experienced a complex and cascading failure in the critical technology systems that run these incredibly important business processes. The accident last week was not due to a power failure, or an IT failure—this was a business failure. After all, we were unable to perform some of our most critical business operations for nearly three days.”1
Breaking Down Barriers
Back to aligning security to business objectives, the Ponemon survey also touched on how much silo and turf issues can impede a security program’s effectiveness.
Do turf and silo issues diminish security strategy?
- Yes, significant influence – 36%
- Yes, some influence – 39%
- Yes, minimal influence – 15%
- No influence – 10%
To help break through the silos, you need to work with each group towards the common company goal of protecting the business of the business. This means you will need to explain your message in terms of each department’s critical processes and requirements. By tying back to the common goal of furthering the organization’s strategic goals, you can help get everyone moving in the same direction and build cooperation.
A key to building cooperation is to develop the skill of empathetic listening to engage your ears before you start hammering a message into people. You listen with the goal of understanding the other person’s point of view and acknowledging how they feel about the situation.
A recent Forbes article made precisely this point:2
Listen to the people’s complaints. Users work in different contexts than IT and security. They have work that needs to get done that has nothing to do with your security policy. Listen carefully to their problems and then, once they’ve had their say, you can connect their jobs to the security mission.
Leverage that Contextual Business Knowledge
To break down barriers and silos, you’ll need to align users’ daily practices with security. Hopefully your examination of organizational processes and goals provides the information you needed for this. It also is useful for framing your security messages in the language of the organization’s culture, not in terms of security culture. In fact, this leads to a key part of making this work: give people understandable reasons why a security process is in place.
Talk about the Threats and Impacts
Using that institutional knowledge you’ve gathered, explain why you’re implementing these particular security processes. Be specific and detailed about what you’re trying to prevent happening, and clarify how the process will control it. This will also help get people on your side when a process doesn’t work perfectly. For example, if you explain that customer social security numbers should always be encrypted, then users can let you know when they see them displayed in plain view. This way you can quickly zero in on security incidents and fix problems.
Another big motivator is explaining how security incidents directly affect the organization’s ability to function and meet its business objective. We’ve discussed this before: measuring risk in terms of the loss of operational efficiency and business capability. This is a powerful technique, especially if you’ve got a strong grasp on what the organization cares about.