CISOs can deliver better outcomes and get the support they need by linking security processes to business results, suggests this writer.

Every organization should have an accurate list of all its assets and rank those in order of importance. By understanding which assets, applications, or sets of data are most critical to protect, CISOs can set out rules and processes for stopping vulnerabilities.

It is also equally important to look at who is responsible for applying those fixes to assets, including people outside of the IT security team.

While the IT security team will provide alerts on issues that need fixing, they will have to turn to the IT operations, services or a business unit team to apply the patches. However, these areas may have been outsourced, which could lead to further potential problems or delays in applying fixes.

In the most complex environments, there may be multiple teams involved in the process. Where possible, keep the number of people involved to a minimum because more people often slow down progress. This can affect change control processes and sign-offs on rollout updates. It can also lead to problems around what is covered by key performance indicators (KPI).

Risk management via KPIs

At one organization, its dashboard had all green lights for patching status, but security issues kept coming up.

After further investigation, it was discovered that its outsourcing firm was contracted to handle and report on desktop operating system updates rather than apply patches. When the security team looked at the bigger picture around applications on those assets, the situation was different and there were multiple issues to resolve.

Once the KPI and the contract were updated to cover all software assets, security eventually improved.

In this instance, thinking about business responsibilities around risk management can help CISOs to get the support they need and deliver better outcomes—by linking security processes to business results.

Not every CISO will have the opportunity to use the CEO’s clout to get what they need in place. For other CISOs, the challenge is more around how to provide the right information to the management team and the board to demonstrate how their approach works.

In other words, the security posture of an organization can be improved significantly by involving the whole business in the security process.

The whole organization gets involved

In practice, involving everyone in the organization in improving cybersecurity starts with the board of directors issuing an edict to the CEO around reducing risk. Rather than treating this as solely a technology process, involving the CEO means it became a business process issue instead.

So, the CEO and CISO will then have to implement a key performance indicator (KPI) based on the number of vulnerabilities on each machine in their business. They know that driving this number down would greatly reduce cyber risks from ransomware and other attacks. 

Next, the CEO places the responsibility for this KPI on each business unit’s department head rather than onto the IT department. This forces the business to integrate better with IT across all operations, and ensures the change process and sign-off procedures remain slick from the start.

As each department lead is responsible for individual team results, all decision makers will be focused on getting things done right and on time.

Another key benefit of this approach is that changes on the business side can be flagged as early as possible, thereby enabling security issues to be flagged and address at the beginning of every business process rather than at the end.