A Defensible Cybersecurity Program...Friday Morning Cyberamblings
A defensible cybersecurity program requires a fine balance between protection, and the always super-ordinate role of running the business.
We know that as our digitization efforts evolve, and as cybersecurity threats grow and accelerate, there’s really only one path that security and risk leaders can navigate, to successfully and effectively protect the organization—implement and operationalize a sustainable, continuous, cybersecurity program. Unfortunately, our organizations are often more preoccupied with ticking off the correct compliance boxes, rather than investing in developing and implementing effective, risk-based, controls.
To achieve the required levels of executive buy-in to our cybersecurity vision, we must ensure strategic objectives and components make sense, are relevant, and framed using nontechnical language.
Failure to address the above inevitably results in programs lacking defensibility at the operational, and business level, exacerbating mistrust and rendering it more difficult to obtain critically needed support and funding. How often have we interacted with business leaders who continue to view security as a business barrier, due to the proposed security program's failure to demonstrate that it is truly linked in to the desired business outcomes?
To be successful, a defensible, cybersecurity management program requires that security and risk management leadership carry the business along, as they develop governance and the ability to assess, and interpret risk effectively.
(Summary based on a yet another great read at one of my favourite watering holes—Gartner)
Have a great weekend Y’all...Stay happy, Hearty and safe!
Richard