It’s easy to forget that cybersecurity teams were facing significant headwinds going into 2020. After years of ever expanding budgets, new tech and new tools, a string of public breaches (in spite of the growing spend), hard questions from the board, and outcomes that were difficult to measure all raised significant questions for security and risk leaders as well as the industry in general.
Here are just a few of the issues that security leaders were facing going into early 2020:
- Difficulty communicating cyber risk to senior executives and board members
- 72% of board members say they are more involved with security over the last 12 months
- 91% of board members can’t interpret their organization’s security reports
- Challenges in measuring program effectiveness and risk reduction
- Dealing with budget decreases
- In 2020 security spend has declined to 2015 levels after peaking in 2017 (Gartner 2019)
….and then COVID-19 hit.
Since the pandemic started, there has been a significant shift in the security function as business itself has undergone radical and unprecedented changes. As many businesses continue to fight for survival, security teams are now focused on helping the business succeed in extraordinary times -- including enabling the massive shift of “work from home” employees, and rapidly onboarding technology to facilitate remote work and new business processes. Security teams have been forced to react quickly and adapt, and must still justify programs and spend to executive teams looking for any room in the budget to reduce costs.
But those challenges are also opportunities. They can mean that security leaders have been set up to lead the way for business transformation.
Here are four ways that security leaders can change their programs to empower the business through these times of change.
- Measure the effectiveness of your program and report to senior executives and boards
Measure your program in terms of business outcomes and how you’re enabling the business to meet its goals is key. Whether it’s benchmarking against the competition to show how security performance management is enabling the company to win new business or keep existing clients, or demonstrating how efficiencies in the TPRM program are allowing the business to stay agile through a fast and scalable onboarding and reassessment process, there are plenty of KPI’s that boards are looking for to ensure the program is generating positive ROI.
- Focus On Risk Reduction
Instead of focusing on threats and how you’re reacting to them, focus on risk and how you’re reducing it. We’ll never live in a world with perfect security, but setting expectations and demonstrating how your program is reducing risk can demonstrate that the security team is taking a proactive and measurable approach to keeping the organization.
- Gain expanded view into the increasing attack surface and work from home environment.
The attack surface has expanded dramatically since the first quarter of 2020 and shows little signs of shrinking. It’s more vital than ever that security leaders get visibility into their work from home footprint, cloud assets and accurate assessments/reassessments of their third party vendors.
- Reduce costs through automation of processes
Security teams were already facing declining budgets, and with changes to traditional operating processes, there is more pressure than ever to be more efficient. Increasing the use of automation, especially in time- and resource-consuming TPRM programs can create huge operational efficiencies that enable the business to be more agile in its strategy by onboarding vendors faster, with less cost, and at greater scale.
Really, the biggest question security leaders need to be asking themselves is “how can I be a partner to the business?” The goal is to be seen as a trusted partner in growth, rather than a barricade or an obstacle that will slow projects down or delay growth initiatives. Reaching out to build relationships with other leaders in the business, understanding their objectives, goals, challenges and pain points, and working collaboratively to create plans and strategies will pay dividends down the line and earn CISO’s a seat at the table where they are able to influence initiatives at the outset instead of reacting once plans are already in motion.
If you’re ready to take the lead in enabling the business through these times of change and thrive through transformation, then download our full white paper to learn more.