Security Performance Management

Turning Business Unit Heads Into Security Management Leaders

Brian Thomas | September 20, 2019

The old adage “it’s hard to find good help these days” has never been more true than when talking about security management. The well-documented cybersecurity shortage is very real, and the long hours and pressure experienced by those who are in charge of security performance management is causing stress and burnout

But creating a strong cybersecurity foundation to prevent risk exposure is also becoming a critical business initiative. Board members and C-suite executives are becoming all too familiar with the potential financial and reputational ramifications that can result from attacks. As such, leaders across organizations must get involved in their businesses’ cybersecurity initiatives while their companies continue to bolster their cyber defenses through new hires. 

Security performance management is stretched thin

But a recent Forbes article points out the struggles companies are experiencing with attracting cybersecurity talent. Those struggles are due in part because of market shortages, but also because HR managers are not cybersecurity experts; they’re responsible for filling multiple jobs, not just security-related roles. Whenever an HR manager does find a good candidate, it’s likely that they’ll need to pull in a CISO or security manager to vet that person — essentially pulling those folks away from their own day-to-day operations. 

It’s even tougher for organizations that have multiple business units or offices, each operating autonomously with their own brands and management structures. Companies in these situations often forfeit control over their brand extensions and operations. That might be acceptable when it comes to marketing, sales, or other operations, but it’s not ideal for maintaining consistent and sound security performance management.

In short, security is being stretched thin in all different directions — precisely when organizations cannot afford to let this happen. To pull things back together, and alleviate the pressures associated with finding new talent, companies should spread the responsibility of risk management across their organizations. They can start by empowering leaders with cybersecurity oversight of the business units they manage.

Creating security management leaders within business departments

Business unit heads routinely track and report on KPIs related to everything from Net Promoter Scores to number of new contracts signed. With cybersecurity becoming a key strategic component for corporate success, it makes sense for business units to begin including security in their measurements.

Many organizations may have different brands spread across various regions of the country. Some might be doing better than others when it comes to security management, but it can be hard for CISOs to tell. There could be serious vulnerabilities that need to be addressed, but the CISO may not be aware that these vulnerabilities exist because they do not have “boots on the ground.” 

This is where business unit leaders can help. They understand how their divisions work and are uniquely positioned to be able to easily monitor and report on their units’ security postures. Rather than having the CISO or security team be responsible for managing cybersecurity across different brands and regional barriers, division managers can be trained to measure security just as they would any other KPI.

This can be done with minimal effort through easy-to-understand security ratings. Security ratings provide everyone in the organization with an easily consumable way to understand and measure cybersecurity. The head of marketing, for example, can use the score to understand that her unit is in need of improvement, and set a KPI for a score increase of 20 points for the next quarter. 

Sharing the responsibility for managing risk exposure

With this approach, security management becomes a shared responsibility amongst key leaders in the organization, who are each held accountable for the cybersecurity postures of their units. Their progress can be easily measured to ensure that divisions across the organization are hitting their cybersecurity numbers and, in the process, doing their part to improve their organizations’ overall risk management profiles.

Plus, by having managers do their part, security management is scaled throughout the organization. This takes some of the onus off of the security team, which would otherwise be responsible for managing security across a highly distributed environment. It also results in a stronger cybersecurity net that covers every brand, office, and business unit. 

We’re certainly not advocating that the heads of business units become cybersecurity experts. But good cybersecurity hygiene is quickly becoming an important business driver that, when not handled properly, can lead to enormous repercussions. As such, security management needs to be everyone’s responsibility, and should be a core component of any well-run business unit.

New call-to-action

Suggested Posts

BitSight Study: Just How Secure is the Business Services Sector?

Management consultants, accountants, public safety offices, marketing firms, and many more business and professional services organizations are high-value targets for cybercriminals due to the range of confidential client information they...

READ MORE »

Social Engineering: How Attackers Exploit People's Vulnerabilities

A new report from the Information Security Forum (ISF) contains some fascinating insights into how hackers probe and exploit people's psychological vulnerabilities to gain access to corporate systems. From phishing to "whaling" (targeting...

READ MORE »

Turning Business Unit Heads Into Security Management Leaders

The old adage “it’s hard to find good help these days” has never been more true than when talking about security management. The well-documented cybersecurity shortage is very real, and the long hours and pressure experienced by those who...

READ MORE »

Subscribe to get security news and updates in your inbox.