Security policies need to be mapped to business outcomes

Security policies need to be mapped to business outcomes

Paul E Proctor is Vice President and Distinguished Analyst at Gartner.

Cybersecurity is no longer just an IT problem. As digital business evolves to include ecosystems and the open digital world, cybersecurity needs to evolve from a back-office IT problem to an enterprise-wide business consideration. These digital business needs will be supported by technologies, and the CIO will be responsible for implementing those technologies, as well as communicating to the executive team that security must be treated just like any other risk-based discipline in the business.

After all, actions like securing externally owned infrastructure and establishing digital trust with customers is tied to both cybersecurity and corporate performance.

Business value is the best lens for CIOs to appropriately manage technology risk and cybersecurity. CIOs engaging their peer executives to better understand the business value of IT will have more rigor and defensibility when their business case is tied to corporate performance dependencies on technology.

No perfect protection

IT professionals know there is no risk-free security. Unfortunately, executives think that with enough money and staff, IT can create a risk-free security setup. In the inevitable event of a hack or data breach, the blame falls squarely on the IT professionals. CIOs need to share the narrative that appropriate levels of security balance the need to protect with the need to run the business. This will enable more manageable expectations, and turns risk and security into a business function.

Failure to assess the risks of a specific technology are parallel to business risk failures, such as a failure to complete due diligence during a merger. In the day-to-day of business, executives often make risk-based decisions. CIOs need to get executives to expand their understanding and appetite for risk to include technologies that now support business endeavors.

CIOs should frame the risk in the context of how it affects the business outcome. Once business outcomes dependent on technology are considered at risk, business and IT leaders can decide if the risk is acceptable or if another option is needed.

Problem and a solution

It is well-known that people are the biggest security risk, but they can actually also be a security asset. In the digital world, there has been a huge influx of technology and employee access to options such as mobile devices with company email. Old security techniques, including centralised control with mouse pads and posters with security catchphrases, are no longer efficient or sufficient means of managing security.

The new approach must be designed to directly impact behavior. People are just as vital to success and failure in security as they are in risk and failure for the business. CIOs need to create a people-centric approach to security that shapes behavior.

Act not just talk

Most risk-assessment programmes are very good at appraising risks, writing reports and surveying executives, but these reports rarely influence actual decisions and, as such, have little impact on risk. Failure to assess the risks of a specific technology are parallel to business risk failures, such as a failure to complete due diligence during a merger.

Ensure that these risk assessments are simple and to the point, and deliver just enough information and defensibility to support specific decision making on a particular project. Develop a dashboard of leading technology indicators linked to business outcomes.

By mapping business outcomes to technology dependencies, CIOs will be able to identify the five to nine metrics to demonstrate both the business value of IT and the appropriate status of risk and security to executives and the board of directors. These metrics will link effective technology metrics to business outcomes to improve corporate performance.


Key takeaways

  • Cybersecurity is no longer just an IT problem.
  • Business value is the best lens for CIOs to appropriately manage technology risk and cybersecurity.
  • CIOs engaging executives to understand the business value of IT will have more defensibility when a business case is tied to corporate dependencies on technology.
  • IT professionals know there is no risk-free security.
  • Executives think that with enough money and staff, IT can create a risk-free security setup.
  • In the inevitable event of a hack the blame falls squarely on the IT professionals.
  • CIOs need to share the narrative that appropriate levels of security, balance the need to protect, with the need to run the business.
  • Failure to assess the risks of a specific technology are parallel to business risk failures.
  • CIOs should frame the risk in the context of how it affects the business outcome.
  • Once business outcomes dependent on technology are considered at risk, business and IT leaders can decide if the risk is acceptable.
  • It is well-known that people are the biggest security risk, but they can actually also be a security asset.
  • Ensure that risk assessments are simple and to the point and deliver enough information to support decision making on a particular project.
  • Develop a dashboard of technology indicators linked to business outcomes.
  • By mapping business outcomes to technology dependencies, CIOs will be able to identify metrics to demonstrate business value of IT and appropriate status of risk and security.

It is not merely sufficient to chalk out awareness programmes, they must also show impact on business, elaborates Paul E Proctor at Gartner.

Browse our latest issue

Intelligent Tech Channels

View Magazine Archive