Enterprise efforts to bolster cybersecurity often tend to focus on technology and process improvements and much less so on enabling better collaboration between the security function and the rest of the organization. And that is a problem.
Recent studies show that a continuing gap between the security group and business unit leaders, C-suite executives and even the rest of the IT group is preventing organizations from achieving an optimal level of cyber resiliency.
The Ponemon Institute last September conducted a survey sponsored by Resilient Systems of over 600 IT and IT security professionals. The results revealed a disturbing lack of collaboration on security issues across departments and lines of business at many organizations. A mere 15 percent of the respondents described the collaboration as excellent while 32 percent described it as poor or non-existent. The remaining 53 percent cited it as being adequate but in need of improvement.
As a result, there is considerable confusion within organizations about who really owns the security function. That relative lack of accountability is preventing many organizations from being proactive about their security strategy and has left a vast majority (83 percent) without a properly implemented cybersecurity incident response plan, the Ponemon survey showed.
“Three quarters of all organizations interviewed didn’t think they were best equipped to handle cyber attacks,” says John Bruce, CEO of Resilient System. “Many felt they didn’t have enough executive sponsorship to handle cyber attacks. About three quarters said they didn’t have enough planning and preparation going on,” around security, Bruce said.
Here are four measures organizations can take to make security a more collaborative effort across the enterprise:
Make Someone Accountable For Security
Organizations sometimes get too fixated on whether security is better handled by the CIO or by the chief information security officer (CISO) or by a chief security officer (CSO). Forget about that. The real question they should be asking is who should be held ultimately accountable for enterprise security, overall says John Worrall, chief marketing executive at CyberArk, a vendor of privileged account security management software. CyberArk in December conducted a survey (registration required) similar to the one conducted by Poneman and found a similar disconnect between the security function and the business side.
“It’s less about the position and more about accountability,” Worrall says. A CISO, CSO or a CIO can handle the security function equally well, but only if they are held formally accountable for the role and receive adequate support for it. “There needs to be a clear understanding of what is expected of the role.”
An organization can make an important statement by appointing someone to the role of a CISO or a CSO. It shows the organization is paying attention to security in a serious manner, Worrall says. But the ultimate accountability for security could still be vested in another role, if an organization finds that to be a better fit.
“I won’t say one is necessarily better than the other,” Bruce adds. “A lot of it is really born out of how the company has evolved organizationally.”
Enable Better Collaboration Across LOBs And Departments.
The executive in charge of cybersecurity needs to take advantage of the heightened threat awareness that exists at the top levels of the organization to make security a more collaborative effort. “There is greater receptivity in the enterprise," Bruce says. “People are listening harder at the leadership level. It behooves the CIO or CISO to make a case on how it needs to be done,” at an enterprise level, he said.
The most effective security executives are the ones that can muster support from executives and stakeholders from across the organization. “The best [security executives] are great communicators. They are good aligners of people, process and technology and are a treated by other business leaders as a fellow business leader,” Bruce says.
Communicate Security Issues More Effectively
Communicating security issues in a way that business leaders and non-technologists can understand is vital to getting the support and the funding to mount an adequate defense against evolving cyberthreats.
“There’s a mismatch between the two ends of the spectrum,” says Worrall. “The CEO and the Board are trying to better understand the security posture of the organization and what they need. But they are not immersed in technology and don’t understand technology language,” he says.
Not surprisingly, some 53 percent of the 304 respondents in the CyberArk survey felt their CEO’s made decisions without regard to cybersecurity. More than six in 10 felt their CEOs did not know enough about cybersecurity while almost 70 percent said the issue was too technical for their chief executives to understand.
The lack of communication and the consequent lack of understanding of cybersecurity issues at the highest levels appear to be exacerbated by the fact that C-suite executives are not briefed as often as many might expect. Despite the mega-breaches at Target, Home Depot and elsewhere, one third of the people who took the CyberArk survey said their CEOs are not briefed regularly on cybersecurity. Nearly 43 percent of management teams are not provided regular security status reports, the survey showed.
Use The Right Metrics
Security practitioners rely too much on compliance-related metrics to convey the effectiveness of the security program. This often results in executive management not fully grasping the business implications of an effective cybersecurity program. Executives end up seeing cybersecurity as something they need primarily to comply with industry or regulatory requirements.
For example, only 44 percent of the respondents in the Ponemon survey said their organizational leaders recognized how important good cybersecurity is to managing enterprise risks and to brand image.
The problem is that reports to management tend to talk about the activities that the security organization is engaged in as opposed to the outcome of those activities from a risk reduction standpoint, Worrall says. Metrics that are considered critical indicators of the effectiveness of a security program, such as threat detection metrics, are not often a top priority in reports to top executives.