Going the Extra Mile for Rational Cybersecurity
Successful security leaders don’t quit in the face of obstacles. They go the extra mile for their security program and understand that cybersecurity isn’t just a technical problem. It’s a people and organizational problem. That makes it critical to align security efforts with the business.
Last year I became so convinced business alignment was the missing link, I decided to write Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment. A week ago I thought the book would be in your hands today. Unfortunately, the publication date slipped. We’re close, but I don’t have a new date yet.
Depression Era Wisdom
As we struggle with unrelenting cyberattacks and business disruption, it pays to remember these words from Napoleon Hill, penned in his 1937 self-help book Think and Grow Rich. “Remember, too, that all who succeed in life get off to a bad start,and pass through many heartbreaking struggles before they ‘arrive’…One of the most important principles of success is developing the habit of going the extra mile.”
Where’s the Book?
Mine is not the first author’s book to be inexplicably delayed by a publisher. Perhaps the pandemic disrupts us all. I like to think that I did everything right by picking a reputable publisher, getting my edits in on time, and putting together my own marketing and communications program to reach thousands of potential readers. Rather than allow these efforts to be derailed I must – you guessed it – go the extra mile.
The Security Leaders’ Challenges
Perhaps this is a test to see whether Rational Cybersecurity is worthy of its audience. CISOs, managers, architects, and other security pros face challenges that often dwarf my own. Each of the 8 main chapters in the book has a section devoted to Address Common Challenges like these:
- Cybersecurity not considered strategic at the executive level
- Security governance not aligned with organizational structure or culture
- Frustrated and under-resourced security teams working amid pandemic crisis conditions
- Myopic focus on control assessment while ignoring other risk treatment options
- Controls not risk-informed, or deployed without a unifying architecture
- DevOps and Agile models fielded without security provisions
- Immature data governance and access management processes
- Business unpreparedness for incident response and recovery
Of course, we can’t just admire these problems. Each chapter tackles them from the cybersecurity-business alignment perspective.
What’s the Secret?
The need for business alignment is pervasive across almost all security projects or processes. While the book’s focus is broad, it clearly prioritizes security governance and culture, risk management, control baselines, IT security simplification, access governance, and cyber-resilience. See my Dark Reading article Applying the 80-20 Rule to Security Programs for more detail on why these are the priorities.
Alignment is as much a way of doing things as anything else. Therefore, the book has some general guidelines such as:
- Clarify security-related business roles
- Make enhancing security communication a top security team priority
- Use awareness programs to improve behaviors and security culture
- Institute cross-functional coordination mechanisms
- Implement a tiered risk assessment model (while placing accountability with business owners)
More than 50 Keys to Alignment highlight these and other important points. Key #10 in my blog series on this highlights the many security-related roles existing outside the CISO’s reporting structure.
Often it’s appropriate to create formal security processes for business alignment. Mind Key #11, however, and don’t go overboard on the bureaucracy!
So How Should We Go the Extra Mile?
This isn’t in the book, but I think the Extra Mile Formula in the Figure at the top of the post says it all: Q1 (quality) + Q2 (quantity) + MA (mental attitude) = Compensation. Cybersecurity to business alignment is a way of engaging the business around your strategic security priorities and the business’s own drivers, processes, and projects.
If you’re in the CISO (or other head of security) role, work to establish strong governance support for security programs. You’ll need to enlist many of the key people on your team in the effort. Although gaining executive support at your level will be a huge win, you still have to play the long game for business alignment. You’ll need your team to embed security into multiple projects and processes. To forge relationships with business and IT leaders on down the management, supervisory, and staff chain.
Because the requirement for alignment is so important, I’m making it easy for everyone in a security leadership role to get the book through the ApressOpen program. This program features complimentary downloads and Creative Commons reuse with attribution.
The book’s also highly actionable. Each Chapter ends with a Call to Action, encouraging readers to define alignment priorities, perform situation assessments, and set improvement objectives. A Success Plan Worksheet facilitates these action steps.
When I finished writing, it wasn’t the end, it was the beginning of the 50 Keys to Alignment blog series. Once you finish reading, it doesn’t have to be the end either. It can be the beginning of an open information flow. This delay is frustrating, but unimportant in the long game. We’re going the extra mile.