Could it be that a simple misunderstanding of what cybersecurity means is creating much of the disconnect between business and security leaders that often makes security programs ineffective? According to one security leader who’s worked as a Chief Information Security Office (CISO) for almost 20 years a lot has changed in the security space by 2020, but two things remain the same.
- Senior executives don’t prioritize cybersecurity enough for security programs to be fully effective.
- The reason for this is not that executives don’t care – they do, and they don’t want their name in the headlines after a breach – but that they lack a clear definition of security.
Let’s face it, the dictionary definitions of cybersecurity (and security) fall short of the shared meaning required to guide and establish a security program. We need to flesh them out so that stakeholders can get a common understanding.
But one of my Rational Cybersecurity for Business book’s technical reviewers balked at this idea. “A longer, more detailed definition of “security” likely causes more harm than good.”
I replied, “It’s not about the detail so much as the explanation of what security means specifically for a given organization and the business functions within it.”
And on this we connected: “Establishing “why” security should be a priority sounds more helpful.”
The security leader I cited earlier would agree too. His name is Mike Gentile and he’s one of the co-authors of the book “CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives.” In his words, the “why” is the mission and mandate for a business’s security program.
Rational Cybersecurity
Perhaps the simplest way to explain what I call rational cybersecurity is to say that it establishes the “why” for cybersecurity. More formally:
In order to rationalize cybersecurity, the combined business, IT, and security leadership should align on the cybersecurity mission and mandate and socialize them with key managers and staff. The combined leadership should also codify its shared understanding in a Security Charter document.
How to Write a Security Charter
The Security Charter should be a short, plain language document intended for broad consumption. It should be signed by the organization’s CEO or equivalent. This gives it the gravitas to serve as the business mandate and the foundation component of the security program. It should:
- Identify key security objectives including confidentiality, integrity, availability, safety, and privacy.
- Reference core governance principles covering accountability, compliance, operations, assurance, and audit functions.
- Call for establishing a cross-functional coordinating committee (aka security steering committee) as a security governance forum. Such a forum enables business, IT, and security leaders to authorize and oversee major security projects, budgets, and changes.
- Define the security policy hierarchy.
The Security Charter also explicitly defines the security governance model. It should state whether the organization will have a security leader with the CISO title. It can also assign where the CISO or security leader reports and the scope of responsibilities.
Clarify Security-Related Roles
By defining CISO reporting the Security Charter starts (but doesn’t finish) the process of clarifying security-related roles.
Cybersecurity cannot operate in a silo and be effective. Instead, it must be aligned with many different business functions. Especially in large or mid-sized businesses multiple business and IT leaders have security-related roles to play. The CISO or head of security should have the core leadership role, but strong leaders must also be in place for risk management, business continuity management, compliance, and audit. Some of those functions may report to the CISO, but others do not. Leaders in other business functions such as HR, legal, and vendor management don’t typically report to the CISO, but must nonetheless understand and perform their security-related roles.
Security-related roles should be formalized in security policy and reinforced through awareness, training, and communication programs. Although in an ideal world business and IT leaders or staff would comply with all security policies, they often don’t. However, security leaders can follow up with business leaders to ensure they understand and buy into policy. Clarifying security-related roles in itself gets business and security leaders more engaged.
Deep and Dynamic Alignment
Clarifying security-related business roles is core to alignment, and has to be a dynamic process for functions at different levels of the business. It can’t all be spelled in the short, plain language Security Charter. The clarifications must make their way down the full security policy document hierarchy and into the security-related business processes themselves. This gives us #6 of our 50 keys to business alignment.
I wrote the book to fill a need for deep, dynamic guidance on these matters. To provide a Security Leaders’ Guide to Alignment. The content gets pretty deep into definitional questions such as:
- Clarifying Security-Related Business Roles with a Responsible-Accountable-Consulted-Informed (RACI) matrix: The matrix covers high-level processes such as ensuring risks are managed, managing security programs, and managing security operations.
- More RACIs (or similar guidance) for functions such as access control and data governance.
- Aligning Control Deployment and Business Functions: A Master Table aligns business functions to all the major cybersecurity control categories.
Bottom Line
Cybersecurity-business alignment is a critical topic. Much of it revolves around the Definition of Security customized for your business, agreed on by the leadership, and socialized with managers and staff. To learn more about how we can help you to work through this with your stakeholders, read the page about our Rational Cybersecurity Workshop (coming soon), or Contact Us directly.