Be Confident in the Face of Cyber Attacks

After Sony, Target, and so many others, security confidence is low across many large organizations.  It is a hard job, plenty of CISOs said as much in the New York Times. It is possible to be confident in the face of constantly changing and high-intensity security issues.

Confident security organizations do not focus on individual attacks, or cyber security incidents. They do not singularly focus on threat prevention. Rather, they focus on business priorities, just like every other well-performing business unit. Confident security organizations impact revenue growth by helping the company manage risk.

Where does this confidence come from? How can a security team earn the right to be confident?

First, it is important to understand your team has the same goal as sales, marketing, finance, and every other part of the company. That mission is to enable the business to grow and realize its revenue potential.  Sales can impact growth through new customer acquisition, marketing can do so through lead generation, and finance can do so with strong fiscal management.  Security impacts growth by advising and guiding these and other business units on how to effectively manage risk and secure critical information.

Today, most security organizations are mired in reactive response and tactical threat management; the goal of impacting revenue may seem too lofty or aspirational. However, every time security teams lead with fear tactics they move themselves farther away from the most important business conversations and they miss out on an opportunity to increase their stature within the company.  Every security organization is capable of refocusing their approach to align with business; many need help finding the way forward.

So where to start?  Below are important steps for creating a confident security program.

1. Get to Know the Business - More so than any other organization, security teams must be collaborators, communicators, and partners to their peers in other business departments. Security teams must understand how the business makes money, be in-step with overall business goals, and find common ground by aligning security objectives with the key priorities of each department in the company.

Security teams strengthen their relationship with these key business stakeholders by demonstrating an understanding of their goals and challenges. In turn, that opens the door for security to be involved with the development of critical business processes and procedures, ensuring increased security awareness and adoption.

2. Make sure everyone knows security’s role (starting with your team) – Keep in mind the goal of any confident security organization is to enable the business to achieve its revenue growth potential. Successful security teams help the organization manage and alleviate risk. Make sure your team understands that is its mission – document it, memorize it, and have an elevator pitch ready so you can evangelize it.
3. Be Included in the Boardroom – Security leaders that perform the first two items well will find a welcome place in the Boardroom. Once there, security leaders need to make the most of their opportunity. It is important to remember your goals and audience and make a game plan for success. To win over the room you must leverage your allies, those who have seen how security positively impacted their goals, speak their language – leave technical jargon in your office and explain how security impacts the business.

Because of an increased focus from national news IT security has as big a stage as it ever will. Business executives need to be refocused away from the fear-based sensationalism they read and see on the news, and towards security’s ability to impact critical business goals. A confident security organization is well prepared to seize this moment and lead the conversation in the right direction.