- When devising an aligned cybersecurity and business strategy, companies should only identify their individual risks — not those of their industry or competitors, according to Jeffrey Wheatman, VP of advisory at Gartner, while speaking during the virtual Gartner Security & Risk Management Summit Tuesday.
- "How are we going to engage with our business stakeholders to strike the appropriate level of balance between running the business and protecting the business?" Wheatman said. Companies will be able to answer this once they've established overall business goals and identified risks.
- The common issue security and business leaders run into is miscommunication, according to Wheatman. Either high-level business strategies are too vague for security leaders, or too much detail fails to resonate with business leaders.
Companies need their security leaders to connect "what we know with what we feel" for stakeholders, Wheatman said. Oftentimes stakeholders will know cybersecurity is important for the business, but they don't exactly know why.
Security executives cannot always present risks as negatives, sharing how a company will fail if a risk goes unaddressed. In some cases where risk is present, like IT modernization, taking the risk directly benefits overall business goals and competitiveness.
The tactics and approaches to identifying risks that help move the business toward its goals will vary depending on the situation. "If you're very heavily in the cloud, you're going to need to think differently about how you're going to be implementing your controls," said Wheatman.
Companies will have to develop metrics to track improvements over time. "These are the things that actually need to come after building this out and communicating," he said.
Business goals will differ from company to company, and they all have to align with what the C-suite and board expects. Goals can range from growing revenue to creating more jobs or retaining customers.
Leaders should not take goals unless it's specifically for their business, Wheatman said. "Don't make the mistake that folks make which is just to copy what comes in the toolkit or the template."
Some stakeholders are concerned that their business goals are too "fluffy and abstract," but that is "actually better," said Wheatman. It's difficult for security and risk executives to connect "anything we do in security that's going to help raise revenue by 6% year over year," he said. "But you can talk about being the best, you can talk about reputation." For a quick win, executives can even refer to their company's website to find value statements, typically in the "about us" dropdown.
When identifying risks, Wheatman advises leaders to stay away from too much technical jargon. "The phrase that I like to use is technology-related risks. These are risks that your organization faces, as a result of technology," including implementation, updates, the cloud and OT. The areas directly impacted by these technological risks include intellectual property protection, regulatory compliance or resilience.
Companies can perform risk assessments or use peer support groups to find common risks, even though they should still be unique to an individual company. Companies can use audits, but Wheatman recommends staying aware of the checkbox nature of audits, and adding context.
"Oftentimes, people have 20 to 30 risks — that is far, far too much," Wheatman said. Aim for between five and seven.