FINAL WORD
Security policies need to be
mapped to business outcomes
It is not merely sufficient to chalk out awareness
programmes, they must also show impact on business,
elaborates Ant Allan at Gartner.
C
ybersecurity is no longer just an
IT problem. As digital business
evolves to include ecosystems and
the open digital world, cybersecurity needs
to evolve from a back-office IT problem to
an enterprise-wide business consideration.
These digital business needs will be
supported by technologies, and the CIO
will be responsible for implementing those
technologies, as well as communicating
to the executive team that security must
be treated just like any other risk-based
discipline in the business.
After all, actions like securing externally
owned infrastructure and establishing
digital trust with customers is tied to both
cybersecurity and corporate performance.
Business value is the best lens for CIOs
to appropriately manage technology risk
and cybersecurity. CIOs engaging their
peer executives to better understand the
business value of IT will have more rigor
and defensibility when their business
case is tied to corporate performance
dependencies on technology.
No perfect protection
IT professionals know there is no risk-
free security. Unfortunately, executives
think that with enough money and staff,
IT can create a risk-free security setup.
In the inevitable event of a hack or data
breach, the blame falls squarely on the
IT professionals. CIOs need to share
the narrative that appropriate levels of
security balance the need to protect with
the need to run the business. This will
enable more manageable expectations,
and turns risk and security into a
business function.
Failure to assess the risks of a specific
technology are parallel to business risk
failures, such as a failure to complete due
diligence during a merger.
In the day-to-day of business,
executives often make risk-based
decisions. CIOs need to get executives to
expand their understanding and appetite
for risk to include technologies that now
support business endeavours.
CIOs should frame the risk in the
context of how it affects the business
outcome. Once business outcomes
dependent on technology are considered at
risk, business and IT leaders can decide if
the risk is acceptable or if another option
is needed.
Problem and a solution
It is well-known that people are the biggest
security risk, but they can actually also be
a security asset. In the digital world, there
has been a huge influx of technology and
employee access to options such as mobile
devices with company email. Old security
techniques, including centralised control
with mouse pads and posters with security
catchphrases, are no longer efficient or
sufficient means of managing security.
The new approach must be designed to
directly impact behaviour. People are just
as vital to success and failure in security as
they are in risk and failure for the business.
CIOs need to create a people-centric
approach to security that shapes behaviour.
Act not just talk
Most risk-assessment programmes are
very good at appraising risks, writing
reports and surveying executives, but these
Ant Allan is Research Vice President at Gartner.
reports rarely influence actual decisions
and, as such, have little impact on risk.
Failure to assess the risks of a specific
technology are parallel to business risk
failures, such as a failure to complete due
diligence during a merger.
Ensure that these risk assessments
are simple and to the point, and deliver
just enough information and defensibility
to support specific decision making on a
particular project. Develop a dashboard
of leading technology indicators linked to
business outcomes.
By mapping business outcomes to
technology dependencies, CIOs will be
able to identify the five to nine metrics to
demonstrate both the business value of
IT and the appropriate status of risk and
security to executives and the board of
directors. These metrics will link effective
technology metrics to business outcomes
to improve corporate performance.
65