By V3 Cybersecurity
Since the times of ancient Egypt, visualization has played a prominent role in how we communicate. As leaders, we often look to the past for inspiration and think of new ways to apply the teachings of history. Why should cybersecurity be any different? Unfortunately, in our attempts to prove our technical knowledge and forward-thinking, oftentimes we diminish our ability to be effective. Albert Einstein is quoted as saying, “If you can’t explain it simply, you do not understand it enough.” As cybersecurity leaders, our largest challenge is not controls or compliance but is how we communicate.
The cybersecurity leaders of tomorrow will follow a simple four-step method in their approach to cybersecurity. This approach will take the place of the current model in which we ask resources to sew a patchwork quilt with Third-Party Assessments, GRC tools, and Self Assessments. Even if you are good enough to figure out how to consistently deliver the message, this approach has inherent flaws.
Let’s begin with third-party assessments. Unless you have timed the assessment to coincide with your board meeting or event, you are working with old data. Even if timed well, you are plagued with interviewer bias and response distance which drives the quality of data issues into your reporting. Lastly, I call it captivity. In today’s consulting model the only way for you to gain the needed visibility is to pay for another assessment. With these never-ending assessments, no wonder they are willing to take us for a good meal.
Secondly, we will focus on our favorite GRC tools. There is no doubt that these tools can play a role in an effective security program, but what was sold is not necessarily what is delivered. What we were sold was business context and reduction of risk, but what was delivered was a compliance-driven workflow tool that is operational in nature. This is good if you subscribe to the failed communication approach of “More content is better!” This approach leaves Boards and C-suite peers asking themselves, “So what?”
Lastly, the grueling task of self-assessments. In speaking with persons given this charge, they are overwhelmed and find themselves chasing the organization to participate. While this task is important, they have signed up to be in the field of security and not in a perpetual world of baby-sitting. Needless to say, once they have done the hard work of getting the organization to participate, they then have to aggregate the data which is prone to human error.
Enough with discussing today’s reality. Our ability to communicate effectively and unlock performance can be achieved in a four-step method. The steps are as follows:
- Leverage the industry
- Leverage the organization
- Leverage technology
- Leverage each other
Step 1: Leverage the industry
Our industry has evolved so quickly that many organizations still utilize controls that are uniquely defined. We must understand that in doing so, we isolate our organization from our peers and limit our effectiveness. While you might be able to justify needing unique controls, you are creating your own language. With adoption of so many common frameworks and standards such as ISO and NIST, there is no reason to isolate your organization. Start by selecting a control framework that is best aligned with your organization and join the community.
Step 2: Leverage the organization
Accountability and clarity go a long way in obtaining the results you need to effectively communicate the status of your security program. We must clearly define control owners and ensure that those closest to the control are the ones answering for us. We often see organizations providing input that is not aligned with their actual maturity or control posture. This typically happens as a result of the response distance. As the response distance increases, there is a reduction in data quality. Equally, while a number of controls are typically centralized in execution, we must do our best to gain visibility across the organization and that means integrating our response owners with our neighbors (Application Development, Infrastructure, Security, etc.).
Step 3: Leverage technology
In today’s digital world, we need to leverage technology to ensure that we are aggregating our responses effectively thus allowing our security resources to drive value in their management of the resulting data, and not in the administrative action of compiling spreadsheets. The ability to consistently produce results in a common language will not only help drive a consistent message but will help train our colleagues. Using a common language will drive higher organizational awareness and enhance business continuity.
Step 4: Leverage each other
The days of going to the annual convention to find out what our peers are doing is not enough. After we have executed on the first three steps, we need a vehicle to provide insight into our results. This fourth step is where the true impact on your organization is demonstrable. Once we have meaningful views into our peers, we will unlock a new dimension of security leadership. Dynamic visibility into our security program will reduce the liability to our board members regarding their responsibility of compliance oversight. Our ability to leverage each other is the key to establishing due care on behalf of the organization. Equally, with this visibility, we will establish a self-advancing model for security programs as each member works to improve in their areas of weakness and in doing so, increase the baseline for establishing due care.
Companies like V3 Cybersecurity, Inc are tackling these very questions and providing solutions that will change the way that Cybersecurity leaders communicate. “Communication for cybersecurity leaders is evolving into a conversation about business risk. Business risk is a common language that transcends organizational boundaries. Our ability to communicate business risk through visualization is key to unlocking organizational performance,” says Jorge Conde-Berrocal, CEO of V3 Cybersecurity, Inc. “Helping our community solve these long-standing challenges is our mission!” he concluded.
Knowledge is power, but wisdom is empowering!
CISO MAG did not evaluate the advertised/mentioned product, service, or company, nor does it endorse any of the claims made by the advertisement/writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.