Identifying Ways to Deliver Faster Cybersecurity Business Value

Richard Addiscott, Senior Director Analyst at Gartner, explains cybersecurity leaders must demonstrate the value of cybersecurity in business and change the perception of business leaders towards cybersecurity.

Fast-evolving and challenging global economic conditions are driving organizations to accelerate their digital business transformations. Cybersecurity leaders must also accelerate their efforts and demonstrate security’s critical role in their organizations’ digital ambitions.

An agile and responsive cybersecurity function enables secure growth and helps in fostering a sustained competitive advantage against those taking a more conservative approach. However, cybersecurity leaders find it challenging to prioritize and invest in security practices in sustainable ways as business demand increases.

To enhance the security capabilities and support the organization’s growing digital business, cybersecurity leaders must follow the cybersecurity accelerators outlined below:

1. Win Differently: Foster Increased Speed and Agility
Cybersecurity leaders need to win differently by identifying and capturing the new demand for security capabilities. Flexibility, autonomy, modularity, discovery, and self-service are at the core of digital transformation efforts. This requires creating new or revising existing security strategies, security operating models and ways of working. To win differently, cybersecurity leaders should employ quick wins and smart tactics.

Quick Win: Business Strategy Review
Cybersecurity leaders must set up a process where the entire security team needs to read the organization’s business strategy or annual report. The team should develop a short presentation that shows how the security strategy and program support the business’s ability to achieve the organization’s strategic objectives. Doing this regularly also helps identify where planned security initiatives are no longer required because of evolving business needs.

Smart Tactic: Establish “Break the Rules” Meetings
Holding regular “break the rules” meetings where security team members can challenge the status quo on rules, take existing procedures back to the beginning and start again, can help expose things that the team is working on and the controls that are being deployed that aren’t delivering value. By doing so, cybersecurity leaders can also empower the security team to do some free thinking, leading to creativity and ideation.

New Directions: Test Human-Centric Security Design
Human-centric security design (HCSD) puts the employee experience at the center of security control design and implementation to help minimize cybersecurity-induced friction and optimize control adoption. The benefits associated with this approach include increased control adoption, fewer cybersecurity incidents caused by unsecure employee actions and increased value return on security investment.

2. Unleash Force Multipliers to Prioritize Changes That Amplify Effort
A force multiplier is an action that serves to create, or amplify, positive momentum toward a desirable outcome. Force multipliers can be contextual levers that enable changes such as informed security decision making within the current business. They can be strategic levers, like adapting the security operating model so it delivers more value to the organization’s internal and, potentially, external customers. When resources are limited, this should be a core focus for chief information and security officers (CISOs). By using force multipliers in cybersecurity, CISOs can amplify positive effects exponentially. Here are few ways in which CISOs can unleash force multipliers:

Win Over the Critics
Find the security team’s biggest critics at the executive level. Address their concerns first by aligning to their goals to help smooth the way for later-stage discussions. This will provide the opportunity to transform critics into key champions for the security program who can help drive increased support from other business areas. By doing this, cybersecurity leaders will stand a much better chance of securing their critics’ support by demonstrating they are mindful of, and are willing to work hard to address, concerns.

Security Champions Program
Cybersecurity leaders must establish a security champions program. This involves identifying and recruiting personnel from across the organization to become communication conduits between the security team and other business units. Key to the success of these programs is selecting security champions from business areas that can demonstrate the requisite aptitude and then investing in them to develop the security knowledge needed to perform their roles effectively. An effective security champions program will help cybersecurity leaders to improve message penetration for security communications into key business areas and raise awareness of security challenges and give rise to improved levels of security consciousness across the organization.

Establish a Security Behavior and Culture Program
Security behaviour and culture programs (SBCPs) extend beyond traditional approaches by raising security awareness with a more holistic and integrated program. It helps foster more secure behaviour across the organization, cultivates and embeds a more security-conscious corporate culture and reduces the number of cybersecurity incidents caused by employee actions.

Additional analysis on cybersecurity and risk management will be presented during Gartner Security & Risk Management Summit 2024 in Dubai, February 12-13.