Interview by Maxfield Barker, Sr Marketing Coordinator, Kudelski Security
Pressures facing security leaders continue to increase. More frequently industry leaders are focusing on the role of CISO as a risk management business executive, not solely a security leader. CISOs need to drive and communicate on a program that is aligned with the overarching business objectives and risk appetite. With the myriad, ever-evolving elements of a comprehensive security program and associated risks, this is a tall order. Modern CISOs need new software to facilitate these challenges. Thus, the invention of Secure Blueprint, a cyber business management platform for cyber leadership.
The following discussion with John Hellickson, vice president of US services at Kudelski Security, describes the driving need and rationale for this new category of security product.
What is Secure Blueprint and where did the idea come from?
Secure Blueprint is a new innovative approach to designing comprehensive, agile, and business-aligned security programs by Kudelski Security. It includes software that enables the CISO’s plan, execute and improve programs, keeping alignment with business objectives. It delivers metrics that demonstrate program maturity, areas of priority and risk, so smarter investment decisions can be made, and creates dashboards to enable risk-based story-telling conversations with boards and executive peers.
It’s a well-known fact that boards are being asked to know more about cyber issues, while CISOs are challenged discussing those needs with the board in a way that instills confidence in their security program.
CISOs must now think more like a CEO than ever before, as cybersecurity treated as another IT function has proven to be limiting when combating today’s advanced threat landscape. Cybersecurity is a critical concern for business and executive leaders at the highest level of all organizations and governments, therefore, bridging the gap between business objectives and prioritizing security investments is essential.
Recently, C-suite and boards are expecting more of their cyber leadership in communicating the value of selected security investments by progress improvements and reduction in business risk as outcomes. This trend is indicative of the desire by the C-suite to learn and increase support for the CISO role to prevent a cyber attack. Therefore, CISOs need to develop executive presence, change their mindset and approach, demonstrate decisiveness and agility and speak in a language that C-suite understands.
What is the biggest challenge you are addressing?
It’s hard to effectively plan, budget and justify investments if you can’t measure the maturity of your programs and the progress made. And if you don’t have this knowledge, how can you gain the necessary visibility for achieving your strategic goals? And with no ability to understand where ongoing gaps exist and demonstrate progress, how can you instill confidence in your security program and strategy with business leaders?
What does the board need to know?
Well, let’s start with what they don’t need to know. Overly detailed answers that delve into day-to-day security operations may overwhelm or frustrate the board. Unfortunately, this is what CISOs have traditionally provided due to technical backgrounds.
What boards actually need, is for the CISO to articulate relevant security threats to the organization and industry. Boards want a clear sense of cyber program target maturity and how the CISO is closing the gap. In order for CISOs to deliver this kind of information, they need to convey and be ready to communicate the following information:
- State of cyber program maturity and roadmap
- Top Industry Threats & Trending
- Priority 1 Initiatives & business outcomes
- High-Level Business Oriented Cyber Risks
- Timely related incidents and organization impact
…which is exactly what our Secure Blueprint platform provides
So, Secure Blueprint goes beyond just board reporting to helping the CISO with a structurally different approach to building and executing their security agenda.
Board reporting is crucial, though, and can be one of the most difficult aspects to master, for any CISO. But more importantly, you need to both run your cybersecurity program as a business and articulate this in the framework and language that business leaders understand.
Gartner summarizes it nicely in this article, by stating: “Organizations need to develop a strategic planning capability that enables the organization to develop and refine a roadmap of investments that recognizes a continuous change in the business, technology and threat environments.”
Cybersecurity is still a relatively young field, where evolving threats keep best practices fluid; where the intense pressure to deliver grows constantly and where company culture and industry context matter greatly. With so many variables, how can cyber leaders chart a path to success in today’s CISO role?
The solution is to run cyber programs like you run a business. Think of your cyber portfolio more as a business portfolio. Your board will want to know if your cybersecurity initiatives align with the enterprise’s objectives. The CISO needs to measure cyber security program’s success. You can do this by blending and measuring qualitative and quantitative risk along with program maturity. The CISO also needs to know what the best investments are that make the most of the cybersecurity program. These are some of the things that every CISO should have on their mind and be able to communicate on a regular basis.
Put simply, the outcome should be the ability to present a cybersecurity program strategy and progress status to C-suite in a communication method that resonates with an executive audience.
So, what does that solution look like?
Stay tuned for part two to find out!
Latest posts by John Hellickson (see all)
- Navigating Your First Month as a New CISO - November 4, 2019
- The Drive to Improve Cybersecurity Effectiveness: A Deeper Dive - October 11, 2018
- The Drive to Improve Cybersecurity Program Effectiveness - October 4, 2018