Alignment Between Business and Information Security Improves with Maturity: What’s the Impact and Which “Side” Needs to “Mature?” (Part 1)
Demetrios Lazarikos (Laz)
March 18, 2022
We all have our own perspectives, assumptions and expectations for what it takes and what it means to be a “great” CISO. We know there will be different points of view presented in research, articles, and other resources accessible to board members, executive staff, and security leaders. But we wonder if these different points of view would ever align with one another. More specifically:
- If business leaders and security leaders do align, how and where is that finally happening?
- If there is still a misalignment, why and where does there remain a disconnect?
- And, in both cases, what is the outcome of this reality to both parties, and to the business?
Since the information security industry has signaled for a while now that security leadership can no longer be at the helm of the department that seems to continually say, “No!” and that CISOs must align their strategies and plans with the business, we expect we would see some alignment. Especially in how trade publications, the analyst/research community, and even the updated risk and security management frameworks talk about security in the context of the business…and vice versa.
Wondering isn’t good enough; we wanted to know. So, the team at Blue Lava compiled some data gathered through research, collecting and reviewing a fairly extensive list of research reports and frameworks (including Blue Lava’s own CISO program framework) to glean some insights along two dimensions:
- What expectations do the folks on the business side of an organization have of their CISOs?
- What are the CISO priorities as they think about managing their own teams and programs?
While the results may not be shocking, they certainly ended up being enlightening. And they probably raise as many questions as they answer.
How We Got Here: The Methodology
Before we get into the findings, we want to share how we collected the data. It came from 10 well-respected research and analyst firms coupled with Blue Lava community-driven data. *see cited sources at the bottom.
Once we had the various frameworks and research articles organized, we categorized both dimensions and then aligned those categories to see where there were citations of either business expectations or CISO priorities in aligned categories. Overall, there were 88 citations captured across 14 InfoSec categories and 15 business community categories.
In the data, we basically have what the business community is expecting, and we can compare that to what the information security people are focused on. Once we had the data organized, we simply analyzed the number of those citations per category and produced the graphic below, which indicates (as measured by relative comparisons of numbers of citations) the potential correspondences and discrepancies between expectations and priorities on both sides:
We believe this research, while admittedly somewhat impressionistic vs. a scientific deep-dive into the literature, suggests that the language, terms, and levels of conversations held between CISOs and the rest of the business leadership teams indicates gaps between what the business expects and what CISOs are delivering. It also suggests that the CISOs are investing in activities that don’t directly align to the business objectives, and therefore may not warrant continued investments and budget. Additionally, the research implies that both sides would do well in learning each other’s vernacular and concepts, e.g., how business associates define risk can be quite different from how CISOs define risk, and thus can lead to misunderstandings.
If these hypotheses hold true, is this a matter of the language and vocabulary between business leadership and security leadership being different? Or are there real expectations, regardless of language, that are missed by one or the other, or both sides? Examining the content may help us understand this a bit better.
In this series, we will discuss the results by breaking the chart and data down into three primary sections:
On the left: General Management and Leadership
In the middle: Information Security, Technology, and Program Management
On the right: Risk and Total Cost of Ownership
Analyzing the Middle Ground: Finding Calm in the Center
This week we will start in the middle category, Information Security, Technology, and Program Management, where we can identify what appears to get alignment in vocabulary and taxonomy. This alignment suggests that the business community and InfoSec leadership have a fairly common implied concern, and therefore a similar set of priorities, when it comes to managing the technology and security programs in support of the business.
The area that’s top-of-mind for the business community is GRC, with 32 of the 35 citations. The InfoSec leadership team also found GRC to be a key priority, with 16 of its 37 citations in this section.
The only other area cited by the business community in this section revolved around Apps, capturing the remaining 3 out of the 35 total citations in this section. InfoSec leadership also found Apps to be a priority, pulling in 11 more citations from its 37 total citations in this section.
This leaves a couple areas where the InfoSec leadership team prioritized against what the business community expected: endpoint security (8 citations) and network security (2 citations).
Perhaps, when the security team thinks about program management, they think about more tactical initiatives like budgeting, project management, staffing, and tech implementations.
Overall, presumably, this alignment can be seen as good news, and there is little for both sides to grapple over in terms of planning, budgeting and execution. It appears they can set and meet most of the expectations here by using a clear set of taxonomy.
In the upcoming second part of this three-part series, we will examine the findings in the right category – Risk and Total Cost of Ownership. Be sure to follow us on LinkedIn to be notified of new content we publish.
- “ESG Presentation – ‘Cyber in the C-suite and Boardroom'”
- Blue Lava framework categories
- “Predicts 2021: Cybersecurity Program Management and IT Risk Management” – Gartner
- “Are CISOs Meeting Market Demand? A Benchmarking Report on What Organizations Look for in a CISO and How Candidates Compare” – Gartner
- “CISO Effectiveness: A Report on the Behaviors and Mindsets That Impact CISO Effectiveness” – Gartner
- “Principles for Board Governance of Cyber Risk” – INSIGHT REPORT, MARCH 2021
- “Boards and cybersecurity” – McKinsey & Company
- “Cybersecurity: Emerging challenges and solutions for the boards of financial-services companies” – McKinsey & Company
- “COVID-19 crisis shifts cybersecurity priorities and budgets” – McKinsey & Company
- Rethink your cyber budget to get more out of it – PWC