How to Align Business and Risk Strategies
The International Cyber Threat Task Force training company offers an insight into a set of measures to change the conversation from security to risk management, fully aligned to business strategy.
The business landscape for the foreseeable future can be characterised by a few critical terms: digital, distributed, sustainable.
As every business becomes, in effect, a digital business, reliance on data and its transformation into intelligence is becoming ever more important. Within this, the drive for sustainability and net-zero operation, is further driving the need for instrumentation, data gathering and measurement.
The data vital for operations, as well as sustainability commitments is coming from a greater diversity and distribution of sources than ever before, adding to the challenge and increasing risk.
Aligning business and risk strategies, with cyber risk an increasing proportion, is now seen as a critical approach for digital businesses.
What does that mean for business organisation? What changes are necessary to put cyber risk at the heart of business strategy?
One of the key measures to make this quite fundamental change is for the CEO, and indeed the CIO, to empower the CISO to develop cyber risk mitigation strategies that extend across the entire enterprise. With a perspective that goes beyond securing systems, processes, and data, the CISO must be enabled to develop strategies that encompass the business strategies on which the organisation relies, and which are being developed in transformation programmes.
Early engagement of the CISO in business development and transformation efforts ensures that risks are identified early, communicated and investigated thoroughly, and consequently mitigated before they can become a threat.
With that empowerment from the senior C Suite executives comes the responsibility for the CISO to understand the business ambitions, and be able to clearly communicate the cyber risk issues to business leaders. Only through a deep knowledge of the business requirements and direction of development and transformation, can the CISO identify and convey the risks, as well as the opportunities, in mitigating them.
Changing the Conversation
The ability to share a common language for understanding risk is key to facilitating the next step in aligning business and cyber strategy. It is incumbent upon the CISO to move the conversation from security to risk mitigation. In today’s cyber risk landscape, prevention is not the goal, mitigation and reduction must be the focus. This critical shift in the conversation must be led by the CISO to allow business leaders and C Suite executives to contribute to the distribution of resources to mitigate risks appropriately, ensuring those resources are best placed for the business strategy determined and the transformation initiatives.
In terms of practical measures, many experts recommend establishing a cyber governance body, comprised of business leaders, senior executives and key stakeholders to develop a charter for key cyber risk management strategies. This charter would have its own performance indicators, as well as powers to enforce the strategies and initiatives agreed.
In line with other areas of the business, agreed reporting standards can measure and indicate progress and successes, adding further evidence of the efficacy of measures. By the same token, executive oversight in cyber risk strategy and budget planning is vital to ensure cyber risk investments are aligned to business initiatives and transformation directions, enabling while protecting.
From Adjacency to Centrality
Many analysts and observers have reported that the CISO is often C Suite adjacent, as opposed to fully engaged, at a remove, and therefore disadvantage, from the central planning and development of strategy. By bringing the CISO into the strategy process fully, they can get a better understanding and insight into CxO concerns and requirements. Each CxO and business leader has different perspectives that must be understood and embraced. The example is often given of an upcoming merger, where a CEO might be concerned primarily about integration, whereas a CFO might be worried about unknown costs, and a COO might be chiefly concerned about continuity of operations for both organisations. A CISO must be able to understand and accommodate all perspectives and communicate risk mitigation measures. However, that capability can only be exercised when the CISO is fully engaged at not just the board level, but whatever special groups are set up for digital transformation, special operations or mergers and acquisitions.
CISOs can develop risk registers, data profiles of similar organisations or, where innovation is occurring, relevant adjacencies that will allow reasonable extrapolation. These tools allow the CISO to properly represent risk, while providing a means to develop and refine mitigation techniques with the business leaders and key stakeholders.
In today’s cyber risk landscape, the ability for cyber threat actors to harness tools such as cloud platforms, automation, and artificial intelligence, as well as the increasing professionalisation of cyber crime services, have meant the reach and impact of cyber crime is more far reaching than ever before. In this context, as one practitioner put it, a security threat is a business threat.
Empowering the CISO while putting them at the heart of the business strategy process, will allow them to understand business needs, from all perspectives. Through methods such as establishing cyber governances groups, business leaders and stakeholders can be provided with the level of engagement and communication necessary to understand and resource risk alignment.
With resources applied based on a real understanding and engagement of risk, across the entire enterprise, organisations can be confident of mitigation for their business goals and transformation ambitions.
Find out more here
• International Cyber Threat Task Force