Since my Q2 update on the Rational Cybersecurity for the Business book project I’ve continued to forge ahead, completing another 3 draft chapters. My goal is to get to final draft (after rewrites) before year’s end!
Rational Cybersecurity for the Business’s target audience are security leaders and professionals seeking to fully align their security programs with all levels of an organization – from the Board member overseeing risk on down to LOB executives allocating budgets, line managers or supervisors, developers or IT system administrators, and the end users who can become your greatest asset or liability.
Aligning with Business Stakeholders
Over the years, in countless consulting engagements and research projects I’ve looked at virtually every cybersecurity domain and have often found that an organizational or political challenge was the root cause of a technology problem.
Even now, the ability to align strategies with business stakeholders, get their buy-in, and maintain their support continues to be one of the security leadership’s greatest challenges. In a recent Linked In Security Architecture Group discussion, a colleague commented that “Everyone creates their own road maps with a different focus, hoping that business stakeholders make the correct mental connections. Enterprise Architecture (EA) principles and security policies don’t seem to align.“
Helping this situation is Rational Cybersecurity for the Business’s focus! The Figure at the beginning of this post shows that security organizations must engage with multiple levels of business stakeholders. Therefore, each of the book’s 10 chapters seeks to provide specific guidance for aligning to each kind of stakeholder. For example, Manage Risk in the Language of Business (Chapter 5) suggests strategies to collaboratively involve stakeholders in all appropriate Risk Management Framework processes. Chapter 5 also advises CISOs on clearly communicating risk to the Board of Directors.
- Chapter 1: Understand the Cybersecurity Business Landscape
- Chapter 2: Analyze Cybersecurity Roles and Motivations
- Chapter 3: Establish a Control Baseline
- Chapter 4: Simplify and Rationalize IT and Security
- Chapter 5: Manage Risk in the Language of Business
- Chapter 6: Create a Strong Security Culture
- Chapter 7: Put the Right Governance Model in Place
- Chapter 8: Control Access with Minimal Drag on the Business
- Chapter 9: Institute Resilience, Detection, and Response
- Chapter 10: Putting the Pieces Together
Preliminary Interview Findings
Per Q2’s update, here is a preliminary finding from a series of Rational Cybersecurity interviews that are still in process. Concerning a key security leadership question:
Most interviewees who could speak to a specific mid-to-large enterprise case study from their own background responded that the CISO reported to the CIO. In many cases, the interviewee was that CISO (or head of security by whatever title). In general, my interviewees put a positive spin on their experiences: Reporting to the CIO worked reasonably well. The players make the arrangement work by maintaining constructive relationships. The consensus is that the value of keeping a tight alignment with IT overrides separation of duty concerns.
Multiple interviewees providing a positive perspective on CISO-to-CIO reporting add a caveat: The CISO-under-CIO should still be engaged at the Board level. Direct contact with the CISO at Board (or Board Committee) meetings can help Board members perform their oversight function by ensuring that the CISO is getting the resources required, and that cybersecurity is in good hands. It also enables the CISO to get input on business drivers and risk appetites straight from the top.
I’m Still Taking Interviews
If you’re a security leader, or a business leader interested in cybersecurity, please contact me for an interview. Your lessons learned from working “across the aisle” could be invaluable to others.