How To Build a Trusted Cybersecurity Program

Cybersecurity leaders feel relentless pressure to improve cybersecurity posture, remediate gaps in their strategy, and minimize cyber risk. With all that goes on in the day-to-day life of a security leader, it can be easy to forget your north star: building a cybersecurity program that can be trusted by internal and external stakeholders alike, including customers, regulators, investors, credit rating agencies, and insurers. 

Why is trust so important? External stakeholders are increasingly focused on working with partners they trust. According to a recent report from Gartner®, “56 percent of customers are now expressing frequent interest and concern in the cybersecurity posture of the organizations that they do business with.” And, “by 2025, 60% of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements.”

Several variables drive this renewed focus on trust, including the explosive rise in ransomware attacks and other breaches. Organizations don’t want partners who might put them at risk. Given this new reality, now is the time for security leaders to turn their focus towards creating—and demonstrating—trusted cybersecurity programs. Leaders need to understand how the market perceives their cybersecurity; eroded trust can result in significant financial consequences.
 

Gartner Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem

This report from Gartner reveals cybersecurity predictions about culture, the evolution of a leader’s role, third-party exposure, and the board’s perception of cyber risk. Download the report to learn key findings, market implications, and recommendations.

Download Gartner Report
Button Arrow

Building Trust With These 3 Key Stakeholders

It isn’t just real cybersecurity risk that matters to your stakeholders—perceived risk matters as well. A Forrester report from 2019 shows that:

  • 38% of companies have lost business due to either a real or perceived lack of security rigor
  • 82% of decision-makers agree that the way customers and partners perceive security is increasingly important to the way their firm makes decisions
  • C-level security decision-makers are more likely than their staff to cite harm to company reputation and customer acquisition after a cybersecurity incident

After nearly 20 years of experience in the cybersecurity industry and working with a multitude of organizations throughout the pandemic, I can promise that these numbers have only increased in the last three years. When it comes to instilling (or eroding) trust within an ecosystem, it can feel overwhelming to “prove” to everyone that a company’s cybersecurity practices can be trusted. Taking a step back and looking at the recent industry announcements, three external entities in particular stand out as a place to start:
 

1. Regulators

Given all of the major incidents in recent years, regulators are increasingly focused on cybersecurity. In recent weeks, we’ve seen new legislation and regulations that will require companies to disclose more information about their cybersecurity programs. As I discussed in a recent blog, the US Securities and Exchange Commission (SEC) is considering new regulations that require the disclosure of a variety of aspects of an organization’s cybersecurity program, including risks, governance, and incidents. President Biden recently signed into law legislation that requires companies to disclose incidents to the government within days. Moving forward, company cybersecurity programs will be under greater scrutiny from regulators and investors alike. 

2. Cyber Insurers

Many companies are buying cybersecurity insurance to transfer risk in the event of an incident. But the growing number of incidents—including ransomware—are causing insurers to scrutinize applicants much more closely than before. With greater scrutiny, premiums are becoming much more expensive and the scope of coverage is shrinking. Insurance companies review variables like patching rates, endpoint protection, and vulnerability management to underwrite and price policies. It is now critical for companies to demonstrate the effectiveness of their programs so their insurers provide more favorable coverage and rates.

Forrester Better Security and Business Outcomes with SPM

Forrester found that C-level leaders are struggling to understand how their security is performing and how to adequately report that performance to the board and other C-level leadership.

Download The Study
Button Arrow

3. Customers

As I’ve discussed throughout this blog, a growing number of third-party incidents drives a majority of the focus on cybersecurity trust. With a greater risk of a ransomware attack or other incident, businesses are becoming much more stringent with their cybersecurity expectations. Many customers are looking for evidence that their partners’ cybersecurity program performs well. They may also include contractual language that companies need to meet certain requirements and continuously monitor for changes in the environment. 

Demonstrating Trust

What can security leaders do to show the market that their programs can be trusted?

It’s all about understanding strengths and fixing weaknesses. Managing trust starts with managing the cybersecurity program and strategy as a whole. BitSight for Security Performance Management (SPM) enables organizations to understand their overall program performance, program gaps, and remediation strategies so that security leaders can relentlessly manage towards their standard. We help companies deliver evidence-based assurance to prove a sound and trustworthy program.

Once organizations have stronger visibility into their program’s performance and gain insights into remediation, they gain an advantage in aligning cybersecurity to the business, reducing cyber risk, and maintaining trust in an ever-changing landscape.