Corporations big and small at least place some emphasis on cybersecurity, but when it comes to establishing a company strategy with data security in mind, many security leaders remain relegated to an “as-needed,” “cost-center” position. This paradigm places security teams in a no-win scenario. Once something bad happens, they are to blame and must react immediately but if nothing happens, there must not be a need to more deeply integrate privacy or data security as a feature of the business.
Define threats based on what matters to the business
A company strategy integrating security and privacy not only starts at the top, but it starts at the beginning. Any for-profit business must focus first and foremost on the processes that enable it to make money, so for security leaders, it is very important to focus on the profit centers. Conversations with business unit leaders will allow the security leader to understand what really matters, brainstorm ways to align security strategy to these needs, and in turn demonstrate security can be an enabler for the core business, not just a necessary break-glass auxiliary.
For example, the head of the accounts payable department will likely have a much better idea of what keywords or activities are out-of-pattern, and thus worthy of actionable alerts to prevent BEC attacks, than the security team would by operating in a bubble and basing their assumptions and alerts on their own independent research.
Present yourself as a trusted technical advisor translating facts through the security lens
With a baseline understanding between security and the business established, a security leader can focus on making the most of opportunities to interact with company leadership on business decisions. For most companies, the security leader is not well positioned to recommend a particular conclusion, but is in an excellent position to provide fact-based intelligence briefings to add tangible value to the decision-making process others are undertaking.
Among the questions a security leader can address that could have outsized impact on the bottom line are:
- How can we evaluate the security risk of this acquisition target?
- Does this product line we are exploring launching come with significantly higher integration and follow-on cyber risk, and thus cost?
- How are peers in this market we are thinking about entering targeted by cyber threat actors and what could this mean for our business if we enter the market?
Push down and out within the company
Finally, with a strong level of respect at the company leadership level, push the integration of security and business down to the rest of the team. A CISO may interact with a small group of company leadership, but individuals on the security team are likely to collectively interact with many key departments on a regular basis.
If the security team as a whole are seen as neutral advisors providing fact-based technical advice on the many smaller decisions individuals and business units make on a regular basis, everyone in the company will be in a position to not only integrate a security mindset into their work, but enable better business outcomes in the process.