In order to ensure that cybersecurity is not perceived as a burden, but rather contributes to the evolution of a corporation, it is essential to align its cybersecurity strategy with its business strategy. In this way, each CISO must have a plan. To achieve this, cybersecurity professionals must be able to speak the same language as that of business leaders.
Recently, I had the chance to discuss cybersecurity issues in front of Executive MBA alumni. This mission was quite difficult. Indeed, even if the subject is fascinating for professionnals in the field, it tends to afraid the non-specialist ones, when it does not simply frighten them. However …
At any time, the economic health of your business and its reputation can be undermined by a malicious third party. There are also increasing legal risks. In order to provide consumers with trustworthy services and to guarantee the preservation of their personal data, regulators increasingly encourage economic actors to put in place controls leading to state-of-the art cybersecurity. This trend is shown particularly through the French military programming law (LPM) or the upcoming European Global Data Protection Regulation (GDPR).
Business and security still too far away
In a rapidly changing environment, organizations need to take cybersecurity issues more into account in a smart and agile manner. And nothing is less simple.
A recent study done by The Economist highlighted the distance between those responsible for business and those responsible for cybersecurity. It revealed significant gaps in the perception of risks and cyber threats, the assets to be protected, and data governance issues. If reputation is the first element to be protected for company executives, it is the regulated data that is the main concern of the cybersecurity stakeholders.
In this context, how can we achieve efficient cybersecurity?
- Develop a real cybersecurity strategy
Through an accurate identification of the most sensitive information assets present in the value chain and information systems, and after an analysis of the incurred risks, it will be possible to define and implement a strategy guaranteeing improved security. A complex word such as strategy can discourage more than one. Determining the essential purposes and objectives for sustainable cybersecurity for the company is nevertheless obvious, simple and, above all, particularly necessary. Then, it must make it possible to put in place an appropriate plan of actions, and allocate adequate resources to achieve the set objectives. Employees’ awareness, continuous risk and threat assessments, the sourcing of strategic cybersecurity partners, and the establishment of incident response procedures are levers among others to improve cybersecurity. With a well thought strategy, you can invest wisely.
- Align cybersecurity strategy with business strategy
If you, as a CIO or CISO, want the right resources to carry out your mission, it is essential that management perceives the importance of cybersecurity in business development. The emergence of connected objects at the level of business processes, the clients’ inquiries to access information more easily through open interfaces (APIs), the need to share data more efficiently with partners, are all drivers that push the business to make evolve information systems towards more openness and agility. In this context, cybersecurity becomes an ally of business performance and optimized risk management.
- Translate the concepts of strategy and business management into cybersecurity
CISO or InfoSec managers must therefore be connected to management and, for that, they must understand each other. For example, rather than referring to technical standards such as ISO 27001 or ISO 27005 and to use barbaric terms such as SOA (statement of applicability), a CISO, who wants to persuade the management of the company to take new steps, will be listened carefully if he speaks about the need to pinpoint in the value chain the activities and key information assets that create the most value for the company, in order to enforce better risk management and to protect these key assets. Using the codes understood by business leaders and executives, cybersecurity professionals will be able to convince them, and cybersecurity will smoothly become an integral part of the business culture of the company.
 The cyber-chasm : how the disconnect between the C-suite and security endangers the enterprise, A report from The Economist Intelligence Unit, 2016.