The Alignment of Business and Information Security Improves with Maturity
Blog Post
The Alignment of Business and Information Security Improves with Maturity
Demetrios Lazarikos (Laz)
December 21, 2021
We all have our own perspectives, assumptions and expectations for what it takes and what it means to be a “great” CISO. We know there will be different points of view presented in research, articles, and other resources accessible to board members, executive staff, and security leaders. But we wonder if these different points of view would ever align with one another. More specifically:
- If business leaders and security leaders do align, how and where is that finally happening?
- If there is still a misalignment, why and where does there remain a disconnect?
- And, in both cases, what is the outcome of this reality to both parties, and to the business?
Since the information security industry has signaled for a while now that security leadership can no longer be at the helm of the department that seems to continually say, “No!” and that CISOs must align their strategies and plans with the business, we expect we would see some alignment. Especially in how trade publications, the analyst/research community, and even the updated risk and security management frameworks talk about security in the context of the business…and vice versa.
Information Security Maturity Model: What’s the Impact and Which “Side” Needs to “Mature?”
Wondering isn’t good enough; we wanted to create an information security maturity model. So, the team at Blue Lava compiled some data gathered through research, collecting and reviewing a fairly extensive list of research reports and frameworks (including Blue Lava’s own CISO program framework) to glean some insights along two dimensions:
- What expectations do the folks on the business side of an organization have of their CISOs?
- What are the CISO priorities as they think about managing their own teams and programs?
While the results may not be shocking, they certainly ended up being enlightening. And they probably raise as many questions as they answer.
How We Got Here: The Methodology
Before we get into the findings, we want to share how we collected the data. It came from 10 well-respected research and analyst firms coupled with Blue Lava community-driven data. *see cited sources at the bottom.
Once we had the various frameworks and research articles organized, we categorized both dimensions and then aligned those categories to see where there were citations of either business expectations or CISO priorities in aligned categories. Overall, there were 88 citations captured across 14 InfoSec categories and 15 business community categories.
In the data, we basically have what the business community is expecting, and we can compare that to what the information security people are focused on. Once we had the data organized, we simply analyzed the number of those citations per category and produced the graphic below, which indicates (as measured by relative comparisons of numbers of citations) the potential correspondences and discrepancies between expectations and priorities on both sides:
We believe this research, while admittedly somewhat impressionistic vs. a scientific deep-dive into the literature, suggests that the language, terms, and levels of conversations held between CISOs and the rest of the business leadership teams indicates gaps between what the business expects and what CISOs are delivering. It also suggests that the CISOs are investing in activities that don’t directly align to the business objectives, and therefore may not warrant continued investments and budget. Additionally, the research implies that both sides would do well in learning each other’s vernacular and concepts, e.g., how business associates define risk can be quite different from how CISOs define risk, and thus can lead to misunderstandings.
If these hypotheses hold true, is this a matter of the language and vocabulary between business leadership and security leadership being different? Or are there real expectations, regardless of language, that are missed by one or the other, or both sides? Examining the content may help us understand this a bit better.
The Breakdown: Sides of the Information Security Maturity Model
Le will discuss the results by breaking the chart and data down into three primary sections:
On the left: General Management and Leadership
In the middle: Information Security, Technology, and Program Management
On the right: Risk and Total Cost of Ownership
Analyzing the Middle Ground: Finding Calm in the Center
This week we will start in the middle category, Information Security, Technology, and Program Management, where we can identify what appears to get alignment in vocabulary and taxonomy. This alignment suggests that the business community and InfoSec leadership have a fairly common implied concern, and therefore a similar set of priorities, when it comes to managing the technology and security programs in support of the business.
The area that’s top-of-mind for the business community is GRC, with 32 of the 35 citations. The InfoSec leadership team also found GRC to be a key priority, with 16 of its 37 citations in this section.
The only other area cited by the business community in this section revolved around Apps, capturing the remaining 3 out of the 35 total citations in this section. InfoSec leadership also found Apps to be a priority, pulling in 11 more citations from its 37 total citations in this section.
This leaves a couple areas where the InfoSec leadership team prioritized against what the business community expected: endpoint security (8 citations) and network security (2 citations).
Perhaps, when the security team thinks about program management, they think about more tactical initiatives like budgeting, project management, staffing, and tech implementations.
Overall, presumably, this alignment can be seen as good news, and there is little for both sides to grapple over in terms of planning, budgeting and execution. It appears they can set and meet most of the expectations here by using a clear set of taxonomy.
Analyzing the Right: The Risk Appetite is Unclear
Continue to move to the right to the Risk and TCO section, and we can begin to see some bigger disconnects in both perspectives and expectations when it comes to how each group views and discusses risk and return. This is where things start to diverge a bit.
From the InfoSec leadership perspective, there’s a clear focus on vulnerabilities, attacks, incidents, and threat intelligence. From the business community perspective, there’s an expectation generally being met, operationally, in these same areas.
Worth noting in this section are two areas of notable divergence: the definition of risk appetite from the business perspective (lacking in the InfoSec leadership language) and the value of fraud prevention from the InfoSec perspective (lacking in expectations from the business community).
As a CISO, the results here may present themselves in how you communicate your program to the business versus how it is received by your business community audience. Chances are that the effort you put into managing an information security program is probably significantly under-appreciated—the majority of the risks you worry about don’t seem to resonate with the business leadership team. What is the company’s risk appetite, and is the InfoSec leadership team managing to that? And with that, the budgets, metrics, and outcomes you focus on and report out against could fall flat from their perspective.
Naturally, this makes sense as the InfoSec teams are often technically driven with a deep focus on the threats to the technology stack and the operational risks that this brings to bear. However, the lack of terminology and vocabulary to convert that technical risk to business risk could be doing a disservice to the security leadership team.
To learn more about security program management for your organization, download our report directly from other CISOs: Security Program Management: Priorities and Strategies.
Cited Sources:
- “ESG Presentation – ‘Cyber in the C-suite and Boardroom’”
- Blue Lava framework categories
- “Predicts 2021: Cybersecurity Program Management and IT Risk Management” – Gartner
- “Are CISOs Meeting Market Demand? A Benchmarking Report on What Organizations Look for in a CISO and How Candidates Compare” – Gartner
- “CISO Effectiveness: A Report on the Behaviors and Mindsets That Impact CISO Effectiveness” – Gartner
- “Principles for Board Governance of Cyber Risk” – INSIGHT REPORT, MARCH 2021
- “Boards and cybersecurity” – McKinsey & Company
- “Cybersecurity: Emerging challenges and solutions for the boards of financial-services companies” – McKinsey & Company
- “COVID-19 crisis shifts cybersecurity priorities and budgets” – McKinsey & Company
- Rethink your cyber budget to get more out of it – PWC