Editor's note: The following is a guest article from Aaron Shum, practice lead and executive advisor, security, risk and compliance at Info-Tech Research Group.
With the CIO traditionally seen as a leader only in the IT vertical, the IT department may have limited coverage in enterprise cybersecurity risk.
Even for organizations leveraging the concept of governance, risk and compliance (GRC), whereby the various operational verticals of a business integrate with each other to enable the organization to achieve objectives reliably, IT leaders may find themselves disconnected from key business areas needed to manage the IT side of GRC effectively.
Here are the top five cyber risks for business operations and common challenges according to the Ponemon Institute:
Top 5 cyberthreats organizations face, 2019
|Cyber risks to business operations||Common challenges|
|Third-party misuses or shares confidential data||IT may not be directly involved in procurement or third-party management efforts, especially in a cloud-first culture.|
|Attack involving IoT or operational technology (OT) assets||IT may not be involved in operational technologies or only supports the underlying infrastructure.|
|Significant disruption to business processes caused by malware||IT may have limited impact on user behavior. For example, 67% of respondents in the Ponemon study experienced attacks where a careless employee fell for a phishing scam that resulted in credential theft.|
|Data breach involving 10,000 or more customer or employee records||Despite cybersecurity efforts, the CIO may still lose sleep due to the number of ways customer or employee records can be compromised.|
|Attack against the company's OT infrastructure resulting in downtime to plant and/or operational equipment||Similar to the concern surrounding attack involving IoT or OT assets, not all IT operations are converging with OT operations.|
SOURCE: Ponemon Institute
It is important for the CIO to rationalize the harsh reality to the CEO in their next conversation. As a business partner, the CIO must provide solutions to these problems and become a champion for working collaboratively with the business.
Here are three major areas of focus to keep the CEO's attention when exploring cybersecurity priorities for 2020:
1. Adjust IT governance according to the business
Globalization and continued digital transformation of businesses are changing how IT can support the organization.
In most situations, IT cannot simply focus on providing operational services. IT needs to ensure its initiatives provide value to the business.
Technical cybersecurity efforts alone may not be effective at protecting against human error, requiring IT to influence human behavior through not only technical capabilities, but also training and awareness methods.
The complexity of this balancing act, compounded by ever-changing business environments, makes it difficult for the CIO to assign necessary resources to address constantly evolving threats.
The CIO's strategy should include a foundational review of IT governance as a means to maximize IT and cybersecurity efforts.
Align IT and cybersecurity strategy with business objectives, with consideration of all applicable external factors (such as regulatory landscape, industry development), to ensure investments in cybersecurity are made in the right areas.
Ultimately, collaborate with all necessary business stakeholders and make appropriate governance changes to your IT organization to ensure the wider organization will support ongoing IT and cybersecurity efforts.
2. Business-driven quantitative risk measurement
Cybersecurity controls put in place based on best-practice frameworks are typically prioritized based on assumptions rather than prescriptive risk mitigation methodology.
While designating risk categories to data, systems and processes can help an IT organization prepare for baseline operational requirements, IT's qualitative evaluation of risks may not reflect the true business impact, resulting in a best-guess effort when measuring the effectiveness of cybersecurity controls.
Instead, IT organizations should apply a quantitative risk model based upon the organization's risk tolerance, diving into each business unit as necessary to meet the organization’s overall goals. The ability to work collaboratively with the business on measuring risk will result in better cybersecurity initiative planning, prioritization and budgeting.
Start by creating a risk escalation path or a cybersecurity risk management committee consisting of business stakeholders.
The key is to determine the most appropriate risk thresholds relative to the organization or business unit, and obtain support from business stakeholders when assessing risks.
Leverage quantitative factors such as financial costs, severity of impact to business, impact to business operations or assets affected, or other quantitative risk values appropriate for business, and solicit support from business stakeholders and senior management.
Next, tailor cybersecurity priorities to the risk tolerance level established in collaboration with the business, which makes the budgeting conversation easier.
3. Business collaboration first; then, compliance comes naturally
Cybersecurity is now top of mind for many leaders, not just the CIO. Business stakeholders in other functions will likely support initiatives to help prevent data breaches and attacks when put in the context of their data and business operations.
Strategically, CIOs should establish ongoing discussions with key business stakeholders to integrate their business priorities into IT and cybersecurity planning.
Gain understanding of the various internal and external pressures (such as regulatory or contractual compliance) each business stakeholder faces and ensure cybersecurity efforts are measurable against business success.
For example, cyber defense efforts to help a customer-facing business unit defend against an industry-specific threat will align much better with overall business objectives than an IT system-centric technology deployment.
Tactically, CIOs can solicit cybersecurity champions within each business unit, ensuring their involvement in the planning and roll out of applicable IT or cybersecurity efforts.
Larger organizations can look into a hybrid governance model where embedding cybersecurity personnel into distinct regional operations can further IT-business alignment.
This is especially important if securing IoT or OT assets is a concern, where cybersecurity capabilities such as IoT/OT asset management and OT network security platforms require support from business stakeholders for integration into OT operations.
Communication is key — and 3 next steps
Effectively communicating the organization's cybersecurity priorities with concise and fit-for-purpose strategy is the best way to get buy-in for necessary support.
To help optimize cybersecurity efforts for 2020, avoid the technology-first approach; investments should be appropriately sized and aligned with both the business' objectives and risk posture.
By replacing the C in "GRC" with the C from "Business Collaboration," CIOs speaking the language of governance, risk, and (business) collaboration will build much better alignment to the business and can optimize cybersecurity efforts by implementing what is appropriate for the organization.
Actionable next steps:
Adjust IT governance according to the business: Identify your organization’s key business objectives, revisit your IT and cybersecurity strategies and ensure your initiatives contribute to the goals of the organization.
Business-driven quantitative risk measurement: Find key business metrics that can be used in your risk calculation and risk escalation. Solicit input from business stakeholders on your risk mitigation and risk management efforts and educate them on how your initiatives can help reduce their business operational risk.
Business collaboration first; compliance then comes naturally: Separate foundational cybersecurity measures that apply to the overall organization and targeted cyber defense initiatives that can increase resilience of a business operation, and ensure business stakeholders or their proxies are involved in planning and execution of the latter.