Ensuring your cybersecurity teams are helping the business

Chief Information Security Officers (CISO) should be held responsible for more than their perspectives on risk. When thinking through the prism of a traditional SWOT (Strengths, Weaknesses, Opportunities and Threats) model, cybersecurity oversight typically hones in on the weaknesses and threats side of the equation. CISOs tend to heavily index in these areas to address the issues that may prevent a business from meeting its objectives. However, Though it isn’t wrong to think about the threats and weaknesses from an oversight and risk management perspective, it usually leads to financial dialogues that sound like insurance policy purchase discussions. Questions like, “What percentage of IT spend should the cybersecurity budget be?” are used to make appropriations decisions at budget time; this is similar to determining the price of insurance coverage on your business or your house based on its value. The conversation should actually be far more nuanced, because otherwise it omits the strengths and opportunities side of the equation. The key pivot to make is from an insurance mindset to an investment opportunity mindset that stimulates growth, addresses weaknesses or accomplishes both at once.

Changing the mindset to focus on strengths and opportunities completely alters the tenor of the dialogue and the potential outcomes. Of course, cybersecurity and risk management are used to protect the business By not limiting focus to weaknesses and threats, leadership gets more out of CISOs As a corollary example, businesses do not expect CFOs to think solely about protecting the finances of an organization. They are also expected to think of ways to grow the top and bottom lines, whether by generating ideas about new products or revenue streams, or by improving organizational efficiencies. To truly earn their seat at the table, CISOs must be expected to think in a similar way.