How to Bridge the Gap Between the Security and Business Teams

September 25, 2018
Tomas Honzak's picture
Chief Information Security Officer
Tomas Honzak serves as the Chief Information Security Officer at GoodData, where he built an Information Security Management System compliant with SOC 2 and HIPAA, enabling the company to help Fortune 500 companies distribute customized analytics to their business ecosystem. Tomas finds his passion in enabling synergies between agile methodologies and standards-based process approach and is a DevOpsSec enthusiast. Prior to his position at GoodData he led the Quality, Business Processes and Security department at Acision, a former Logica Mobile Networks division. He lives in Prague, Czech Republic and holds anMSc. from Charles University, the oldest university in Central Europe.

For those of us in the information security sphere, potential breaches and new regulations like GDPR are always top of mind, as are ways to continuously improve the security measures our companies already have in place. But outside the realm of security, the rest of the business operates fairly independently, and it can be challenging to help our colleagues—most of whom don’t (and shouldn’t!) spend all day thinking about security threats—understand the security risks and how to mitigate them.

Kevin Townsend recently wrote about the need to address the gap that exists between security teams and the rest of the business, and how CISOs are always striving to balance cybersecurity metrics with business needs. In particular, he cited a recent survey by security firm Varonis that found that the business and their security teams are not fully aligned.

I often get questions about this lack of alignment. How do you talk to the business about security in a way that makes sense to them? Typically, metrics are suggested as a way to present information in a clear, easy-to-understand manner, and they can be a great option for CISOs looking to get their point across.  However, I find there are two primary challenges with this approach.

1. Get the Right Data to the Right Audience at the Right Time

The first challenge is that while the security team consists of security experts, they’re not also experts in every part of the business. They may not know or understand which security metrics would be most beneficial for a certain business function to see, or they may not know the best way to present the metrics they’ve identified. Maybe a CFO is more interested in metrics regarding risk that could more directly impact the bottomline starting in Q1 next year. Or maybe the marketing team is more interested in metrics that highlight risks to personal data, a leak of which could damage the company’s reputation. An experienced CISO is well aware of that, however in can be hard to make the right messages visible in the vast amount of  global security metrics.

One way to address this challenge is to introduce a platform that can do all of this for them—collect data on individual metrics, analyze it, and distribute the results via reports which are customized for the recipient. Products like this remove much of the burden of metric translation and distribution from CISOs, who are then free to focus on alignment around the security risks with their business counterparts  instead of on analyzing and building custom reports.

2. Security teams need to avoid making colleagues “burned out” on security topics

Second, CISOs should strive to keep security updates relevant and timely, so metrics presentations and reporting should be presented rarely. Unless there is a critical issue or significant business transformation, an annual presentation of the key trends, evolution of the threat landscape, and strategic security plans are all that the board should be receiving from security.

Many of my fellow CISOs feel that the board needs to receive security metrics often enough to show trends and keep security top of mind, but my main concern is fatigue. The board needs to be steering the company and not reviewing operational reports. Ideally, if all is going as it should, there should be very little in the way of security updates. If I’m constantly giving presentations or updates that only reinforce messages that the business has already heard, and there is no call for action on the board level, then I may be less likely to be taken seriously if I do need something. In the end, the risk of e not getting the immediate attention would have grave consequences.

However, it was clear to me from the conversations with my fellow CISOs that decisions in this area really vary. What’s necessary or best practice will depend on the sector, company size, maturity of the security in the company and a number of other factors. What’s important is finding and using metrics that not only speak clearly to the recipient and, more important, are relevant and actionable. Only then do the security KPIs  support proper alignment between security and the business to minimize risk for the long term.

Want to ask about something specific?

Contact us