Cybersecurity has been on board agendas for at least a decade, but the recent coronavirus outbreak puts a spotlight on the disconnect between executive understanding of cybersecurity and their organization’s actual capabilities.
“The stories that we’ve seen during the COVID-19 outbreak are the latest example highlighting the failed approach to cybersecurity that many organizations take,” says Paul Proctor, Distinguished VP Analyst, Gartner. “While executives were focused on ensuring compliance and stopping hackers, simple opportunities like enabling secure remote access technologies — which have a much larger business impact — were ignored. Now, organizations are scrambling to catch up.”
The COVID-19 disconnect should create a wakeup call for CIOs, CISOs and IT executives
These missed opportunities detected during the coronavirus outbreak are just the most recent example of how the disconnect between security and business outcomes is often underestimated. Organizations should focus on the creation of adequate, reasonable, consistent and effective controls in a business context.
Read more: 7 Security Areas to Focus on During COVID-19
The COVID-19 disconnect should create a wakeup call for CIOs, CISOs and IT executives about the critical need to address cybersecurity in a business context and as a business decision. But IT leaders can build an executive narrative to change how cybersecurity is treated in their organization.
Address failing cybersecurity approaches
Many organizations take an ineffective approach to cybersecurity. These failed approaches lead to poor decisions and bad investments. Here are the four key challenges that limit cybersecurity’s business impact.
1. Societal perception is that cybersecurity is a technical problem, best handled by technical people.
This results in a lack of engagement with executives, unproductive exchanges and unrealistic expectations. Ultimately, it leads to poor decisions and bad cybersecurity investments.
2. Organizations ask the wrong questions about cybersecurity.
Questions like “How much should I spend on cybersecurity?” or “How can I comply with regulations?” don’t reflect the organization’s level of protection. These misplaced questions drive attention away from improved priorities and better investments.
3. Current investments and approaches designed to address limitations are not productive.
Organizations are focused on new approaches that have great promise, but through a combination of failed execution and poorly set expectations, these investments are only delaying activities that will better improve cybersecurity. For example, many companies use quantification to present risk and security in terms of money (is that a $5 million risk or a $50 million risk?) and likelihood of damage (what is the percentage chance of getting hacked?).
However, these calculations are often based on assumptions and “expert opinion” that essentially dictate the result, rather than real quantitative business assessment. Using the veneer of quantification to get what you want does not support improved cybersecurity.
4. Real failures are not getting enough attention to productively change behavior.
For instance, the manufacturer of a medical monitoring device ignored cybersecurity in the development of its internet-connected product to cut costs and speed up production time. The foundational software was riddled with vulnerabilities, and once discovered, cybercriminals exploited the devices to deploy ransomware. This rendered the devices unusable to medical professionals and created a critical shortage during a time of peak need.
This disconnect between executive decision making and effective cybersecurity should encourage both business and security leaders to focus their attention on new ways to approach the problem.
Create a business context around cybersecurity
To create a business context around cybersecurity, first identify the business context of your organization. Every organization has budgets and costs, desired outcomes and supporting business processes, sources of revenue and customers. Each of these components comes with key technology dependencies. Understand the organization’s most important processes and business outcomes, and identify how technology maps back to them.
Then, using the business context as a guide, shift toward an outcome-driven approach to cybersecurity. An outcome-driven approach is a governance process where priorities and investments are determined based on their direct impact on protection levels in a business context. This approach helps the organization see how well the organization is protected, rather than just how it is protected.
An outcome-driven approach creates an entirely new lens for non-IT executives and other stakeholders to consume information about cybersecurity
For example, an organization can manage ransomware risk by measuring the operational outcomes of the primary controls it uses to address ransomware: Backup and restore, business continuity and phishing training. If these tools are delivering outcomes that meet stakeholder expectations for readiness to address ransomware, it creates a business context for continued investment. Executives can then participate in decisions related to how much ransomware protection the organization wants and how much it is willing to pay.
An outcome-driven approach creates an entirely new lens for non-IT executives and other stakeholders to consume information about cybersecurity issues in a business context. Priorities and investments can be adjusted to balance the needs to protect against the needs to run the business.