A report by Center for Strategic and International Studies revealed that there are three levels of misaligned incentives that work against cyber security in organizations:
- The corporate structure of organizations vs free flow of criminal enterprises: The incentives of attackers are shaped by decentralized, fluid market, while rigid bureaucracy constrains the defending corporations and top-down decision-making systems.
- Misaligned strategy and implementation: More than 90% organizations have a security plan in place. However, not even half of these organizations have implemented these policies.
- Senior executives vs those in implementation roles: The parameters by which the top executives who design the strategy and measure success are different than those of the team that implements the cyber security.
What can companies do?
There’s no one size fits all solution out there for aligning cybersecurity into strategic execution; no single solution that will work for all enterprises. Different techniques are suited to various organizations based on their culture and environment. However, on a broad level, few of the important organizational areas that are important to attain business alignment for cyber security are:
Culture: Developing a culture, across the organization, to imbibe secure practices into daily routine tasks, is probably the best solution to achieve security objectives. Management may define security policies, but if all do not follow them, it fails the purpose. If everyone from top to bottom, supports them as a part of daily routine without compromise, even if it costs little higher to the company, it has the best chance of success. Managers, users, IT professionals and everyone else should be able to make a wise and policy based decision when it comes to information risk.
Planning: The strategic and tactical planning of the security across the organization provides best opportunity to align individual security projects to business requirements. It is best to leverage enterprise architecture principles in the planning of security processes. Building cyber security right into enterprise architecture also gives it the best chance to be adopted and followed for every project.
Processes: Implementing industry standard systems such as Information Security Management Systems (ISMS) prescribed by ISO 27001, provides the ability to assess, develop and deploy security solutions as and when required by the organization. These processes make an evaluation of organization’s security requirements a continuous process instead of a single instance of security implementation.
Communication: The communication about incidents, resolutions, and other security related activities should be defined as service level metrics and built into service level agreements between IT organization, users and partners.
Competencies: Cyber security experts are expected to have technical skills. However, to align with business, they must also have business skills such as understanding of business architecture, personal communication, marketing (of security ideas within organization at levels above, below and at par of the expert)
Technology: It is not just about implementing the best of tools available in the market that meet your requirements. Organizations also need to set up best of the breed processes and practices related to technology. Implementation of processes based on standards such as ITIL (V3), ensure technical integration of security controls integrated with IT services.
Relationships: Alignment of any department with business depends upon the cooperation and support of decision makers and stakeholders. Security is no different. Cyber security department must maintain alignments with key people to get visibility into business and get appropriate and required resources for them to do their job.
Business Alignment of cyber security cannot be addressed with one size fits all approach. It needs time, resources and comprehensive strategy to integrate and built the security into the business practices and organization’s business model.