Does your organization face challenges with effectively aligning  cybersecurity teams and business executives? In many organizations, it  seems that business executives and cybersecurity teams don't always  understand each other's roles. Executive leadership may not realize the  cyber risks to their organization, such as APT threats, insider threats,  espionage, phishing. Also, cybersecurity teams may not know what  business systems are MOST important to protect before and during an  incident. 

So how can you successfully align cybersecurity with the C-Suite, and keep the collaborative alignment effective? Before we answer that question, let's first talk about the challenges  that have historically kept security and business executives out of  alignment.

Strategic vision directly influences and impacts the success of  implementation of cybersecurity controls. Cybersecurity MUST be  positioned as a business enabler. And businesses must appropriately  manage risk. 

Before we dig into risk mitigation, let's compare and contrast the  challenges – both natural and fabricated – that often get in the way of  recognizing the true value of engaging cybersecurity teams at the  earliest strategic development stages of a new product and/or service.  It seems that business leadership often perceives cybersecurity as the  department of “NO!”. Those of us that have been in the security business  for some time, are most likely to blame for this. It was too easy to  say “NO!” when asked to make changes of a control, process, or other  tactical change. If we didn’t understand the purpose of the request, we  said “it's not secure”. If we haven't been hacked, it must be safe…If it  is not broke – don't change it. This created a perception of  cybersecurity being a business dis-abler. 

Business leaders are looking for ways to expand their business’  footprint, increase revenue, reduce overhead, and have the ability to  change direction easily and quickly. This is where cybersecurity teams  get scared. These strategic goals mean that change needs to occur, and  that a CISO will inherit ownership of something that we have not seen or  done before, or that may have been poorly designed, actually admitting  to previous misconceptions of cybersecurity preparedness. And then there  is the accountability factor for processes or practices that were  designed for some other function and may not be fit for the newly  defined application. The cybersecurity team feels that uninformed  business people made a decision without consulting them first, and that  causes us to be accountable for things that we had no say in.

We, as a community of cybersecurity professionals, cannot just say  “NO!” and we cannot simply suggest expensive solutions to mitigate  perceived threats that are not aligned with what the business needs.  Example; we cannot demand $100M for new tools in exchange for increasing  revenue by $1M. We must be able to understand the need, explain the  challenges, offer alternatives, negotiate, and at the end of the day –  ensure that risk is accepted at the correct level of leadership with the  correct understanding.

Cybersecurity professionals can be known, by many C-level business  leaders, as somewhat arrogant, unreasonable and immature individuals who  lack business acumen and the ability to accept accountability.  Cybersecurity professionals may be guilty of assuming that those same  C-levels are unaware of risk or are willing to accept risks just to meet  new business objectives – without our input.

My challenge, for each of you (business or cybersecurity leaders) is  to LISTEN to each other to learn about each other's challenges. In my  experience, once we leave our arrogance at the door, we will learn that  both business and cybersecurity leaders are trying to accomplish the  same thing – just from different perspective and with different  approaches. Great cybersecurity leaders will also want to expand the  business footprint, increase revenue, and reduce overhead – while  managing risk. However, for anyone to listen and learn, you must take  time to build relationships with your peers.  What are their strategic  goals? What keeps them awake at night?  What is their 1, 3, 5, 10 year  plans? What can you do in your 1 year plan to help your peer’s 3-year  plan?

You see, in the past, cybersecurity teams were just trying to put out  the fire of the day. And they got the job done and kept the lights on –  but no one realized they were actually doing a great job. In all  practicality, cybersecurity is actually a game of zeros. When you have  zero breaches and zero outages, you create zero room at the big table,  and the general perception is that all is fine with cybersecurity. That  is until something happens – and in today's world – that something can  be catastrophic.

So, we now have some understanding of the historically induced  challenges that have kept cybersecurity and business executives out of  alignment. So, what can be done to create alignment – and keep things  aligned?

First, cybersecurity teams must have a seat at the board room table  so that we can learn what the 10-year strategic plan is, and gain a true  understanding as to the rationale behind short-term decisions. Then  cybersecurity teams can share their views during early stages of  strategic design which will assist in keeping all teams aligned in the  right direction as a single team. It’s like playing the business version  of Pin the Tail on the Donkey. After spinning around in circles,  and it's determined that some aspect of the plan or member of the team  is headed in the wrong direction, another member of the team can nudge  them in the right direction. If the alignment between team members is a  few months after they've been spun around, it shouldn’t be a surprise to  find them so far away from the donkey that it will difficult to even  get them back to the correct zip code. 

Second, cybersecurity teams need to be aware of their organization's  business plans so they can become real strategic partners. As CISO, get  to every facility and visit with every business stake holder and get to  know who they are, what they do, what their challenges are, and what  makes them successful. If you understand their needs and challenges, you  can effect better controls. Remember, cybersecurity cannot be the  department of “NO!”. If you make the controls too difficult and do not  understand their impact on your organization's business plans, they will  find ways to work around you.  

Lastly, the need for transparency is critical. Strategically align  business and cybersecurity objectives. Collaborate on what your  cybersecurity and business peers’ critical success factors are. Find  appropriate metrics to ensure CSF/KPIs are collected and the analytics  are available to your peers. Communicate hits and misses of these data  points.  Remember the saying that the things that get measured get  done. When you are transparent about your measurements they get done  quicker. Experts suggest that if you want to lose weight – keep a  log. Weigh yourself regularly, document it, and look at the trends.   When you see, trends start to go the wrong way, it's time to make  adjustments. If you keep these logs public, you will be even more  accountable. In other words, transparency wins!

Bonus thought! You will know you're headed in the  right direction when you cannot perceive a difference between  cybersecurity and business objectives. At this point, you’ve reached a  level of alignment where your cybersecurity and business management are  moving together to successfully accomplish more challenging and ever  changing business priorities.