In the spirit of bringing fresh perspectives to cybersecurity leadership, Kudelski Security has been reconsidering the way CISOs approach cybersecurity program management. The Investment Portfolio approach builds on the fundamentals of financial management, enabling CISOs to optimize their security programs by managing them along the lines of a financial investment portfolio.
This approach not only provides a strong structure to the organization of a cyber program, it also enables CISOs to answer the age-old question of how to generate buy-in from C-suite colleagues and boards of directors. It helps create a culture of shared cyber risk ownership across the organization, and challenges the antiquated notion that cybersecurity is principally a technical problem or an exercise in compliance.
A cursory comparison between what high-net-worth portfolio managers and CISOs do reveals a high degree of commonality in many broad thematic areas. Underlying concepts include:
- High-trust businesses
- A focus on risk management and maximizing investments
- Progress unnoticed until poor performance happens
- A need to manage complexity in hyper-dynamic environments, while looking to predict stock market movement/emerging threats
- The continuous evaluation of portfolios
- The use of models and analysis for decision making
- Continuous communication of performance to stakeholders
Unpacking each of these concepts is the starting point for CISOs interested in adopting a portfolio management mindset that can help focus cyber investments on the highest-impact/greatest risk-reduction priority areas.
The similarities center not only on the broader thematic areas and underlying concepts listed above, but relate also to the operating models, frameworks and analysis techniques that both professions use to manage business risk.
There are several models that need unpacking. Below we summarize one of them – Research Analysis: Stocks & Components.
Research Analysis: Stocks & Components
To create a strategic security organization, CISOs need to learn and evaluate their business like a CEO. High net worth portfolio managers perform detailed analysis on stocks within their investment portfolios, yet at the same time learn those businesses in order to understand growth, opportunities, threats and risks associated to those same companies at a macro level.
Continuous evaluation of the business and the cyber program components is a challenging, though important part of the CISOs role. When done effectively, with KPIs and appropriate metrics, it can enable CISOs to consistently make smart, risk-aligned decisions and to communicate persuasively with senior leadership and board.
A mindset shift towards looking at your cyber program as a set of comprehensive capabilities will enable you to evaluate the maturity, threat, risk and investments of your cyber program. This investment portfolio approach can help CISOs better communicate decisions and build confidence in the eyes of executive management team and board members.
Our first CISO Fresh Thinking webinar, “An Investment Portfolio Approach to Cyber Program Management,” explores this and other key issues in greater depth.
You can download the webinar now to hear Mark Butler, CISO at Fiserv, have a conversation with Kudelski Security’s Mark Carney, Vice President of Global Consulting Services and learn how this particular shift in mindset can help you fulfill your mandate better.
Previously, he was the CISO at FireMon and Vice President of Strategic Services at FishNet Security. Mark has an MBA with a specialization in management information systems and bachelor of business administration from the University of Missouri-Kansas City. Mark currently holds the CISSP, CRISC and C|CISO designations.