How can I know if my business is resilient enough? Is my organization compliant with security regulations and corporate policy? Is it possible to combine digital transformation with acceptable risks?
These are just some of the questions that any organization’s security team has to deal with on a regular basis. Here, we bring you firsthand insights from Jane, a recently appointed Chief Information Security Officer (CISO).
One of our competitors recently suffered a major data breach. This―and the emergence of new market players―prompted me to consider what cybersecurity strategy would best protect our own digital assets.
My starting point was our business needs. What security should we have in place to ensure the company’s growth and competitiveness going forward―especially at the level at which we combined digital transformation with acceptable risks? And how could I ensure that our security plans received the attention required from decision-makers and other stakeholders to ensure a top-down buy-in to the whole subject of cybersecurity?
It was a strategically important challenge. I needed to ask the right questions to allow me to build an appropriate cybersecurity strategy for our organization―one that would ensure regulatory compliance and business resilience. These questions had two focus areas: how to achieve our cybersecurity objectives and how to align those objectives with the business.
A critical starting point to protecting your digital assets
Here’s what I came up with―and I believe these four questions would be a good starting point for any CISO or IT leader developing their security strategy:
• How do we transform our traditional security model so that there is a focus on data, people, and risks?
• What should we focus our investment on now, given that security operations no longer rely solely on IT protection?
• How can we embed the new cybersecurity vision as part of the wider business transformation journey and deliver significant changes in the security function?
• How can we avoid making employees the weak link and move towards a more people-centric approach to security?
I was asking the right questions; now, I needed to put into place my strategic security plan. While evaluating proposals, my recommendation is to look at vendors who can manage both strategy and implementation with a vendor-agnostic approach. That way, one is not pressured into buying any particular technology or tied into an expensive license deal.
Based on a clear, shared vision of our maturity and practices, the vendor helped implement our cybersecurity transformation program in just a few weeks. I now feel confident that we have the cybersecurity we need to take our business forward―securely.