Security professionals are still making a poor job of getting business leaders to understand strategies.
Speaking during the Gartner Security and Risk Virtual Summit, VP analyst Jeffrey Wheatman claimed security professionals are “fighting a battle with ourselves and our business stakeholders” as security does a poor job of articulating strategies and getting stakeholders to understand “why the things we do are important.”
He claimed that even during the COVID-19 pandemic, this is still the case, and security needs to know how to take steps to create a cybersecurity strategy that resonates with stakeholders. He also claimed that everyone is seeking to create a one-page strategy, which management understand but which does resonate with the technical team, or the strategy can be more technical and granular, where technology team knows what to do, but the management team does not.
“Clearly we need to figure out how we can bring these two extremes together and articulate what we are doing and why; to tell a simple story,” he said. Wheatman said this involves five steps:
- Start with your business goals
- Identify your risks
- Make the risks real
- Articulate the program objectives
- Map strategy to tactics
As part of this, Wheatman recommended focusing on what the company does, what risks it faces and how they are addressed. “That construct is very important, this is not us in security, it is not you in the business, it is we working together to achieve a common set of goals and objectives,” he said.
He advised the best way to get company engagement is to focus on what business stakeholders care about, namely: growing revenue, managing costs, focusing on customer retention, growing the sales force, being number one in the market and being the best in class. “If you cannot use these, where can you get your business goals from? Look at the annual report executive summary of what the company is going to accomplish this year, what are the core values and initiatives?” he said. “Essentially, this is what the board and C-level executives get measured on at the end of the year, so focus on those.”
To identify risks, Wheatman said a common question Gartner receives is “tell us what our risks are.” He said there may be commonality in your vertical, but “your risks are your risks” and so identify them by doing a risk assessment, focus on the executive summary, look for published reports, talk to your peers and ISAC, if you have one.
He also recommended keeping risks to between eight and 10, as many more will not be digestible and you’ll be shifting to threats and vulnerabilities.
Wheatman also recommended mapping your strategy to a framework which others use as this will give you a justification for expenditure.
“If you think about the five elements of the story, it is how we’re going to do it, how we’re going to invest, the time and human capital and tooling, here’s how we’re going to measure our success, and here’s the process for continuous improvement,” he said. “So think about these things as the next step, once you’ve gone through the initial five steps to build this out.”
He recommended linking back to business goals, particularly in growing revenue, and to link actions to goals. “You must target your audience and target what they care about and the things they are compensated on and measured on at the end of the year,” he concluded. “Identify your risks and make those risks real for your audience.”