The trope of People, Process and Technology enabled us to speak a common language in the field of cybersecurity and now needs to be updated. The evolving digital landscape demands a refined approach. This article proposes an updated framework for CISOs to use to assess their organization’s environment in a way that provides useful insights for structuring security programs.
While security programs may vary in structure, they often share 3 core objectives:
- Secure the company’s products & its ability to deliver value
- Secure the enterprise’s environment and its critical assets
- Increase the security culture within the company
And while it’s a given that security programs need to be “business aligned,” it’s not always clear what security leaders should look at to establish such alignment. This article enables CISOs to better align their security programs within their organization by assessing the following 3 R.E.D. dimensions:
- Corporate Responsibility: How does the company operationalize their duty of care?
- Organizational Elasticity: What is the company’s ‘muscle’ to handle what it may face?
- Business Durability: How well does the business manage its financial stability? How does it keep its technology stack modern?
CISOs will then have the context to inform which projects are necessary, in what order, and which ‘asks’ to make. CISOs who understand these elements will more effectively prioritize initiatives and tailor their strategies to the company’s specific needs and capabilities. This enables security leaders to have greater success and traction and design programs that are integrated with the company’s objectives . While appropriately pacing the speed of security maturity based on their organization.
Corporate Responsibility (Stewardship)
Corporate Responsibility involves operationalizing the company’s duty of care. Key aspects include:
- Onboarding: Evaluate training and technology setup for new hires, reflecting on how the company welcomes and prepares them.
- Compliance: Consider the company’s ability to navigate complex audits and maintain regulatory obligations, emphasizing a proactive approach to evolving regulatory requirements including privacy and based on client need.
- Change Management: Assess the robustness for implementing software, infrastructure and policy changes. Include consideration for roll-back and user-communication ensuring they are effective and minimally disruptive.
By understanding these elements, CISOs can align their security programs within their organization, enabling them to prioritize necessary projects, determine their order, and make informed decisions to enhance the company’s security maturity. This approach allows CISOs to pace the speed of security maturity based on the specific needs of their company at any given time.
Organizational Elasticity
This dimension measures the company’s ability to adapt and withstand challenges. It includes:
- Executive Experience: Diversity of leadership experience is crucial. It enables companies to navigate various business scenarios such as mergers, bankruptcies, global expansion, or market changes with an understanding of what to expect.
- Change Fatigue: An organization that has recently undergone significant change, whether technological or otherwise, may have a drained staff that is more resistant to further change. Alternatively the staff may be invigorated and prepared to take on new initiatives.
Understanding these elements, informs the company’s appetite for security and risk related programs. Assessing the perception of past changes and drawing lessons from those experiences is essential for understanding the company’s readiness for change.
Business Durability
The organization’s ability to withstand and thrive in the market is crucial for determining the necessary investments to drive security in both the immediate and long term. Focus on:
- Financial Stability: Assess the trends in profitability and market expansion, reflecting the company’s growth trajectory or focus on maintaining the status quo.
- Employee Retention: Notice employee retention by experience level as an indicator of the company’s health and investment in its workforce.
- Technology Modernization & Lifecycle Management: Evaluate the current state of the technology stack and the company’s practice for maintenance as well as integrated data governance practices including data privacy management.
Understanding the organization’s ability to withstand and thrive in the market informs how much will need to be invested and is necessary to drive security in the immediate and long term.
Conclusion
Being able to assess the R.E.D. dimensions will provide the CISO with necessary context to more quickly:
- Identify and close likely vulnerabilities
- Define a tactical roadmap
- Contemplate program structure
Maturing a company’s security posture takes time – and requires trust. The more quickly and precisely the CISO can understand and assess the company’s environment – beyond people, process and technology, the more likely they will be to design a program that aligns with the company, matches their risk profile and is tuned to the appropriate risks. Importantly, they’ll be better equipped to demonstrate an awareness that is ‘business aligned.’