Steve Zalewski said one question informs every decision he makes as deputy CISO at Levi Strauss & Co.: “How can cybersecurity help me sell more jeans?” His extensive technical background notwithstanding, Zalewski is adamant in contextualizing Levi Strauss’ security program within the brand’s big-picture business goals. For example, if a vendor can’t explicitly articulate how its technology would help insure the company’s revenue stream, Zalewski isn’t interested.
“I tell them, ‘I have a responsibility to sell more jeans. How does your product help me do that?'” he said. “They usually don’t understand how to pivot to a business risk conversation or appreciate that cybersecurity is more about insurance policies than operational efficiency or technical capability.”
To justify investment in a new security control, ROI has to speak for itself, according to Zalewski. In other words, the technology or process should offer a reduction in risk that clearly exceeds the cost of adoption. Otherwise, “leave it alone,” he said.
Research suggests few CISOs take such a keen interest in aligning security with business objectives and bottom lines. Many experts say, with security now integral to virtually every enterprise function, that’s a problem. According to Gartner Research, fewer than 20% of CISOs have critical partnerships with key business executives, although the firm predicted that number will increase to 60% by 2024, as demand for cybersecurity and business alignment grows. In an August 2020 survey Forrester Consulting conducted on behalf of vulnerability management vendor Tenable, only half of security leaders said their teams work with non-IT stakeholders. Less than half said they frame cyber threats in terms of specific business risks.
In contrast, top-performing CISOs regularly meet with three times as many non-IT stakeholders as IT stakeholders, according to Gartner’s 2020 report on CISO effectiveness. Two-thirds of top performers meet with business unit leaders on at least a monthly basis. But successfully aligning security with business objectives demands more than just face time; it requires security professionals to develop both hard and soft skills beyond their hard-earned IT expertise.
Here are the top four recommendations from CISOs and analysts for achieving more effective security-business alignment.
1. Know the business
A security leader intent on better aligning security with business objectives should start by learning about the business itself, according to Sam Olyaei, director analyst at Gartner Research. Olyaei said that, at a minimum, today’s CISOs need to know:
- their organizations’ mission and vision statements;
- CFO goals, as outlined on recent investor relations calls;
- board priorities and initiatives; and
- industry and market trends.
Olyaei described the above information as “critical inputs” that should inform the strategy and development of security programs and help CISOs actively anticipate business needs. Michael Montoya, CISO at data center services provider Equinix, agreed, saying the role — similar to the CIO position — must evolve beyond security operations to enable the business.
“The technical expertise that drove the traditional CISO role is not enough anymore,” Montoya said. “CISOs need to be fluent in company operations, especially finance-speak, to articulate security priorities from a business perspective.”
That might mean spending less time reading about the latest ransomware attack and more time learning about the business, said Brian Wrozek, CISO at cybersecurity services provider Optiv Security, whose customers include financial trading firms.
“I don’t enjoy reading about currency exchange fluctuations, but I need to at least understand them so I can properly contextualize and prioritize my security inputs during executive discussions,” Wrozek said. “There is no technology or magic process. It involves learning about the business, building relationships and collaborating.”
Neil Daswani, co-director of Stanford University’s Advanced Cybersecurity Program and co-author of Big Breaches, said CISOs need to position themselves as general managers of the business rather than IT specialists, focusing on supporting financial growth in a way that mitigates risk. For instance, he said, a CISO could better frame the goal of “achieving HIPAA compliance” as “enabling the organization to sell into the healthcare market by achieving HIPAA compliance.”
That distinction — the difference between what cybersecurity teams do and why they do it — is subtle but important when it comes to aligning security with business objectives, according to Levi Strauss’ Zalewski. His job is not to achieve security for security’s sake, he added. Rather, “I’m here to protect the ability of the company to sell jeans.”
2. Partner with executives and boards
Of course, to successfully align cybersecurity initiatives with business goals, CISOs need buy-in from and access to their CEOs and boards of directors, added Ray Rothrock, executive chairman of the board at cyber-risk modeling company RedSeal. Such support is far from a given. A 2018 survey by PwC found just 40% of CISOs reported directly to CEOs and only 27% to their boards of directors.
“To not have the security team in the room when the business goals are being decided is a huge mistake,” Rothrock said.
Equinix’s Montoya added that, in many organizations, a disconnect still exists between cybersecurity and the overall enterprise risk management framework. When risk management exists outside the CISO’s portfolio, the security team struggles to contribute at the design level.
“Security cannot be layered in as an afterthought,” Montoya said. “It needs to be a critical lens while reviewing inherent risks across corporate strategy, marketing, compliance, operations, employee communications, customer relations, etc.”
Jodi Daniels, founder and CEO of data privacy consultancy Red Clover Advisors, agreed, saying many executive teams continue to dismiss the gravity of cyber threats, marginalize their security leaders and willingly assume excessive cyber-risk. “That’s a common pain point that is a significant struggle for CISOs,” she said.
The good news is that executive interest in security-business alignment is at an all-time high and growing, according to Gartner’s Olyaei. “Board conversations about cybersecurity have exploded over the past few years,” he said.
In a 2021 Gartner survey, board members rated cybersecurity vulnerabilities as a top source of enterprise risk, second only to regulatory and compliance issues. And PwC’s Global Digital Trust Insights 2021 survey found 43% of executives expect their CISOs to have more direct interactions with CEOs and boards than before the COVID-19 pandemic, which dramatically accelerated digital change.
“For security to be a business enabler, it is essential to strike the right kind of partnership with the board and executive team,” Montoya said. He recommended establishing an infosec steering committee that includes the CISO and leaders from across business groups.
Gartner anticipates 40% of boards will have such dedicated cybersecurity committees by 2025, up from less than 10% today. Such heightened executive attention means CISOs will likely enjoy greater support across their organizations and access to significantly more resources. But Olyaei predicted the increased scrutiny will also require them to mature past their technical bubbles and learn to more effectively connect with executive audiences.
3. Learn to speak ‘business’
A significant percentage of enterprise board members — one in five — is dissatisfied with the quality of cyber-risk information they currently receive from security managers, according to Gartner’s 2021 survey. By Zalewski’s estimation, the reality is likely even worse.
Steve ZalewskiDeputy CISO, Levi Strauss & Co.
“Probably 10% of CISOs understand that most executive teams are not interested in cybersecurity; they’re interested in business risk,” he said. “As a security practitioner, you have to migrate the conversation to one of their comfort, not yours.”
Board members typically care about share prices, customer satisfaction and the financial bottom line — not IT-oriented performance and health metrics — Olyaei agreed, adding that CISOs need to learn to present compelling narratives that explicitly align security with business objectives. Zalewski, for example, contextualizes every cybersecurity investment at Levi Strauss by explaining how it protects either the brand’s reputation, people (customers and employees) or supply chain. “If they don’t understand, then we haven’t done our job,” he said.
Business acumen, political savvy and communication skills also build CISOs’ credibility as leaders and cement their authority in the C-suite, Olyaei added. He suggested security pros aiming to grow in these areas consider pursuing the following qualifications:
Optiv Security’s Wrozek recalled a pivotal moment early in his CISO career that took place on the heels of a security incident he’d predicted. “I tried to tell my boss, ‘I told you so,’ but he flipped it and said I didn’t do an effective job of communicating the true risk in a way he understood. Since then, I’ve tried hard to communicate risk in language, terms or analogies my colleagues understand,” he said.
4. Recognize that cybersecurity is a cost, not a goal
CISOs must also learn to subjugate security to the larger business, Zalewski advised. He said he sees cybersecurity as an insurance cost — “a nonfunctional requirement to sell jeans” — rather than a goal in and of itself. Like any other type of insurance, cybersecurity policies will depend on a company’s particular operational realities and appetite for risk.
Wrozek offered this analogy: A homeowner can install a new front door without a lock, and the door will still function. Most people agree, however, that the costs of deploying and maintaining locks and the inconvenience of using them — as insurance against burglaries and assaults — are minimal compared to the risk of not doing so. But CISOs run into trouble, he added, when they present every security effort as vital to the business, generating fatigue and exhausting buy-in at the executive level.
“After a while, your counsel falls on deaf ears,” Wrozek said. CISOs, therefore, need to understand their organizations’ risk appetites, tailoring their recommendations and picking their battles accordingly.
“It is not just a matter of aligning security with business objectives or the business aligning to be secure, but rather a combination in which risk tradeoffs are jointly explored to determine the path forward for the business,” Stanford’s Daswani added.
If the executive team wants to consider taking a calculated risk, then the CISO must provide an assessment outlining options and weighing possible outcomes, Rothrock said. “The cybersecurity team cannot just say, ‘No.’ Like the [software engineering team], it should provide choices — ‘if this, then that,’ and so on.”
The CISO role requires security leaders to make decisions and call out risks even with only a fraction of the required information available to them, he added. “They live in a mushy world full of ambiguities and so do their teams. But, when a leader can rise above the mush, the team will too.”
Finally, Wrozek reminded his fellow CISOs that enterprises have to accept some level of risk to turn profits and stay in business. “Too often, we get caught up in being like an overprotective parent where security becomes the ultimate goal at the expense of experiencing life,” he said.
When in doubt, Zalewski advised drawing a distinction between security — the what — and protecting the company’s ability to do business — the why. “If I’m not selling more jeans, who cares?” he said.