Business leaders need to rethink the way they handle cybersecurity teams. Do leaders ask the right questions and understand how cybersecurity programs work?
Overseeing cybersecurity programs, whether at the board level or at the leadership level, has always been a challenge. The typical questions managers ask range from the general question, "Are we safe?" to more detailed questions about the measurements, such as “How many vulnerabilities Did you correct the previous quarter? ” The answers to these questions may not help to highlight the true effectiveness of the program. These types of questions often signal a lack of understanding of how cybersecurity teams work and a lack of vision for how cybersecurity can really help a business grow.
Efforts have been made to help leaders ask the right questions to cybersecurity team leaders to improve their effectiveness. The National Association of Corporate Directors (NACD) has provided some excellent guidance on which questions to ask and which approaches Business leaders must follow suit to make the most of the security team.
Change the mindset of cybersecurity surveillance
Information security officers (CISOs) should be held accountable for most of their responsibilities regarding the risk of cyber threats. When we think of the prism of a traditional model SWOT (Strengths, Weaknesses, Opportunities and Threats), cyber security surveillance usually touches on the weaknesses and threats of the equation. CISOs tend to be big degree to deal with them sectors to address issues that may prevent a business from achieving its goals. However, remaining only on weaknesses and threats, the safety in cyberspace becomes more of a security program than a potential development guide.
While it is not wrong to think of threats and weaknesses in terms of supervision and risk management, it usually leads to financial dialogues that resemble discussions about buying insurance policies. Questions such as, “What percentage of it budget must be provided for security in cyberspace; ” used for decision making for example for the budget. This is similar to setting the price of insurance coverage for your business or home based on its value. The discussion should actually be much broader, because otherwise it omits the strengths and opportunities of the equation.
Changing the mindset to focus on strengths and opportunities completely changes the meaning of the dialogue and the possible outcomes. Of course, cybersecurity and risk management are used to protect the business from vulnerabilities and threats, but what if there are ways cybersecurity teams can identify strengths and opportunities? Are there areas of the business where security teams are not currently focused? It is quite possible that a CISO working throughout the business will have new ideas that will help the business.
New lines of challenge
At any meeting, the goal is to leave with new information and new instructions for supervision and approval procedures. CISOs must be challenged to think of their work from the perspective of improving companies and their contributions to overall business objectives, creating opportunities and opportunities.
The best example of this is when safety is "shifted" to changing performance control in the early stages. In a development process the developers it is better to fix them problems during creation instead of waiting to try a final product. The last approach is particularly annoying for developers who have to stop working to stop and fix problems during procedure. Traditional KPIs (key performance indicators) in the development process include measurements such as reducing the number of vulnerabilities or defects, as they will now be located in the process. While this is an effective cyber security measure, it does nothing to really emphasize business impact.
The real effect of this tactic is that fewer defects mean increased performance for developers, less edited code, faster releases products and faster revenue generation for new features and products. As an added benefit, a new strength may be the increased awareness of developers about how to write secure code. This new power could also be measured to show increased performance over time of time and then a differentiated one product at the market.
Challenge your CISOs to think about how to find a way to grow the business, highlight strengths and explore chances. Questions that may complement more traditional risk surveillance questions are:
- What product improvements can we make to differentiate us in the market?
- What is your tendency to reduce supplier delivery times or reduce sales cycle time?
- What percentage of time do teams spend investigating or answering security-related questions? How is this monitoring over time?
Obviously, the questions will depend on the type of business, but its change mentality and CISO supervision is vital. With this shift, CISOs are forced to look beyond its walls group to better understand the business, thus creating more productive knowledge.