I’ve talked about CISOs being a student of the business. I’ve been told often that this is something that makes sense in theory, but in practice, it can be a bit hard to absorb and then demonstrate. I wanted to expand on this a bit more here.

How do we know we’re doing well with our security program —or if we are missing the mark when it comes to running our programs in support of the business? What are the signs? Are we defining and implementing the right things—do these things we’ve implemented really matter? Will these solutions move the needle?

Whether or not we answer these questions correctly often comes down to the language we use when talking with our business leader counterparts. It’s important to make sure we understand how the business defines outcomes, risks, requirements and challenges. And it’s just as important when presenting security concepts to make sure the business understands how we define those concepts.

Aligning Information Security with the Business

To help the CISO community take on these challenges, I decided to see if I could shed some light on how well CISOs are doing at being a student of their business. I also thought it was important to make sure there’s an understanding of how both businesses and InfoSec teams may define certain terms.

Working with our team at Blue Lava, we did some research, and we captured the results of that research in a new eBook, Alignment Between Business and Information Security Maturity. The research involved sourcing content from 10 well-respected research and analyst firms coupled with our internal and community-driven data.

We present the methodology and the results of our research in the eBook. In this blog, I’d like to comment on how InfoSec priorities compare to the expectations of the business in four key areas of IT security leadership:

1. General Management and Leadership
2. InfoSec Technology Management
3. Security Program Management
4. Risk and Total Cost of Ownership (TCO)

Our research documented the ratio of the cited requirements expressed by business leaders in relation to those cited by their InfoSec leader partners. As you might expect, #2 and #3 above—InfoSec Technology Management and Security Program Management—show some common ground between business expectations and InfoSec focus as they are relatively well defined programmatic, and operational, in nature. But things start to disconnect and break apart in #1 and #4 where business management and risk start to take center stage in the conversation.

These results aren’t—and shouldn’t be—too surprising. But the fact they aren’t doesn’t mean we, as CISOs, have to live with the results and the roadblocks they put on our ability to succeed. To be clear, the information here can help us better understand where we stand and give us the insight for how best to move forward. The research detailed in the eBook suggests there are frequent disconnects in conversations between CISOs and business leaders, and gaps between what the business expects and what CISOs are delivering.

It also seems CISOs invest in some activities that don’t directly align with business objectives. Additionally, both business leaders and CISOs would do well in learning each other’s vocabulary, e.g., how they define risk can be quite different.

Fine. Understood. So, now what?

Asking the Right Questions Begins the Journey to Uncovering the Right Answers

While we don’t have all of the answers just yet as to why there are discrepancies in the definitions used by both groups, the eBook identifies how we, as CISOs, can at least begin to ask the right questions.

I will close here and encourage you to read the eBook and connect with me on LinkedIn.

Also, please look for an upcoming webinar I’m working on with Jaclyn Miller, Chief Information Security Officer – Transformation and Platform Services, NTT Ltd., where she and I will discuss the research findings in more depth, providing some additional analysis of the eBook. If you connect with me on LinkedIn, I will also bring some of the points you raise to bear in this discussion.

Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: laz at bluelava dot io.