The CISO Security Maturity Journey Starts by Connecting Technology Dots to Business Objectives
Demetrios Lazarikos (Laz)
March 18, 2022
You’re a CISO doing a bang-up job on your company’s security posture. From a technology perspective, you use all the right tools, and the security controls are set just right. But are those technology dots connected to the business?
IT security has traditionally been a learn-as-you-go process, and security leadership has transformed over the years to where the CISO position is now strategic. However, the role remains somewhat immature when connecting security technology strategies to business objectives. This is due in large part to the difficulty for many CISOs in using the right language during discussions with executives—so everyone is on the same page at the business level.
Language Holds the Key to Communicating Security Strategy
While security initiatives in all areas may sync with each other (risk, compliance, controls, monitoring, response, and recovery), things may not be good for the business. It may very well be that the InfoSec program looks good on paper but does not match what’s really needed for the business.
The security strategy concepts need to work their way across the organization. The language used to communicate the security strategy should also resonate with business executives. Otherwise, a misalignment in strategy and communication could put the effectiveness and efficiency of any security program in jeopardy.
Conversely, if the strategy and communication are rooted in regular and consistent language, the organization can find it gets what it is looking for—such as growth in market share, revenue, profit, and shareholder value.
Two Resources to Help Develop a Security Strategy
To help CISOs take on the challenge of security strategy and communication, Blue Lava has published an eBook that provides a view into what an InfoSec strategy and planning look like—not only for the security program but also the business. We examine the parallels, the connections, and the path to both enable and protect business objectives—running through sample scenarios on how to turn a business-driven InfoSec program strategy into action.
For additional security strategy and planning advice, we also invite you to listen to ITSPmagazine Podcast, hosted by Sean Martin, one of the leading journalists/analysts in the security industry. Martin interviews Kyriakos “Rock” Lambros, CEO and Founder of RockCyber, a cybersecurity executive consulting firm specializing in aligning cybersecurity strategy to organizational business goals. Another podcast participant is our very own Jen Sanford, a Director at Blue Lava who interacts with our customers on many of their strategy and planning initiatives. You can listen to a recent conversation Lambros and Sanford had with Martin on ITSPmagazine Podcast below:
Simply Say “Here’s how we can help” to Start the Conversation
The lessons delivered by Lambros and Stafford during the podcast can help CISOs evolve to a more strategic role within their organizations. As discussed, CISOs must make sure they are invited to executive conversations where business leaders discuss the technologies necessary to generate revenue and streamline operations. This means “getting away from the keyboard” and making friends to actively seek out answers to the key questions.
By asking questions at the beginning of IT initiatives, CISOs have more influence and can point out what needs to be done to ensure the security of digital assets. These conversations take place when CISOs initiate the discussion by simply saying, “Here’s how we can help.”
And this leads to the InfoSec team elevating itself from the “Department of No” to a strategic part of the business—that not only protects digital assets, but also contributes positively to the bottom line.
For more information on developing a security strategy that helps your company reach its objectives, check out the latest Blue Lava eBook, listen to the ITSPmagazine Podcast, and follow Blue Lava on LinkedIn.