The importance of cybersecurity management

When asked "Why should you manage your cybersecurity?", it's tempting to answer "Why shouldn't you? However, the question of true cybersecurity management is a real one for many organizations. According to a study published in April 2020 by Forrester on behalf of Tenable, only four out of ten CISOs claim to know their level of security or vulnerability with a high degree of certainty. This kind of blind navigation suggests that it may be time to stop "doing cybersecurity", and start leading it.

Share

What is cybersecurity management?

Traditionally, management is defined as the deployment of human and material resources to achieve objectives. While management efficiency is a central concern in most business areas, it is not sufficiently addressed in the field of cybersecurity.

 

Cybersecurity still disconnected from corporate objectives

As the above definition of management shows, it's impossible to claim to be a manager, i.e. to direct and control, without being clear about objectives!

Yet the figures in the above-mentioned Forrester report demonstrate that cybersecurity is often conceived and practiced without a strategic dimension. Entitled "The rise of security managers aligned with business objectives" and based on the responses of 416 CISOs worldwide, the report makes the following observations.

  • Only 54% of CISOs state that their cybersecurity strategies are fully or closely aligned with corporate objectives.
  • Only 47% of security managers take corporate priorities into account when defining priorities from a cybersecurity point of view.
  • Less than 50% of CISOs consider the impact of threats in the context of a specific business risk.

 

Moving from a tech vision to a more global one

What can we observe in the way cybersecurity is handled within organizations? Methods vary from one entity to another, but there are three main trends:

  • management by technology, which relies on tools;
  • compliance management, based on respect for regulatory or contractual requirements;
  • risk-based management, which is virtually a tailor-made approach and is only appropriate for the most mature companies

Of all these major approaches, it goes without saying that managing through technology is quite simply...not managing! While the usefulness of many tools is undeniable, the difficulty lies above all in the fact that, in such a situation, the company's level of security depends on editors and the latest market trends, whereas it should be based more on a level of requirement to be set according to clearly defined objectives.

For this reason, managing cybersecurity requires a 360° vision of the actions to be taken. In concrete terms, this means covering all the main management functions, from defining objectives to steering, organizing work, managing teams and making decisions. Among other things, this means drawing on the People Process Technology framework usually used to carry out organizational changes or implement new IS projects.

 

Cybersecurity management starts with strategy

While the figures suggest that we still have a long way to go before every CISO can exercise real managerial functions, as can CFOs, HR directors and other executives, we are nonetheless witnessing the emergence of a discourse tending to place strategy at the heart of cybersecurity.

This is the sense, for example, of the comments made by contributors to the 2021 guide "L'essentiel de la sécurité numérique pour les dirigeants et les dirigeantes". Daniel Bénabou, President of CEIDIG, explains that security is no longer a technical issue, but a strategic one, and considers it "a top management issue".

Guillaume Poupard, Director General of ANSSI, stresses the need for decision-makers and CISOs to be proactive, stating that "cybersecurity is 99% anticipation, prevention and common sense.

 

Real good reasons for managing cybersecurity

Should CISOs slip further into a managerial posture simply because experts advocate an ambitious approach to cybersecurity? In reality, the reasons for embarking on this path are highly pragmatic, and offer a profitable return on investment for both the CISO and the company.

 

Reliably meeting safety needs

As you will have understood, managing is a whole process: first you define a strategy in line with the company's objectives, identify the resources needed to achieve it, implement it and then manage it to ensure that the pre-defined objectives are met.

What better way to ensure truly effective corporate protection? The advantage of this approach is that it positions the right resources in the right place, balancing efforts according to priorities. For the organization, it limits the gap that can exist between the "impression of security" and reality, as already presented by Bruce Schneider in 2010 in his TEDx conference on the security mirage. It also avoids creating what he calls "a theater of security", made up of products that reassure without actually protecting.

 

Anticipating problems

Without visibility and structure, CISOs who don't really manage their cybersecurity activities can only endure, fearing attacks and doing their best when the risk materializes.

A CISO with a clear vision of his objectives and how to achieve them is in a completely different situation! Faced with the risk of a ransomware attack, for example, he or she will start by mapping vulnerable and exposed IT assets, which are all gateways into the information system.

This methodical approach not only helps to limit risks as much as possible, but also to co-construct solutions with management and business units to ensure business continuity in the event of an attack (implementation of a communication solution uncoupled from the IS, crisis management plan, IT recovery plan, etc.).

 

Giving meaning and bringing people together

Without a shared vision, teams (especially SecOps teams) may well fail to see the point of following a certain number of best practices. Cybersecurity management can improve this situation. Because it involves sharing objectives, explaining and dialoguing, it leads to a better understanding of the issues by all stakeholders, and in turn to greater buy-in and increased protection.

It is by developing leadership skills that a feedback loop can be put in place. By feeling more involved in cybersecurity issues, teams are more likely to pass on relevant information and apply best practices.

 

Giving ourselves the means to do more

So you're thinking that if you want to manage your cybersecurity in the way we understand it, you need to have the means to do so? In reality, budget is not an issue, or at least it should only be at the start of a cybersecurity strategy.

Managing cybersecurity means not only giving yourself the means to be visible, but also giving visibility to top management. In other words, it's about making two things clear:

  • On the one hand, vulnerabilities and associated risks (operating losses, damage to corporate image, legal costs, etc.).
  • On the other hand, the CISO needs to fulfill his obligation of means

In other words, it's by tackling the subject of security head-on and in all its dimensions that CISOs give themselves the chance to have constructive discussions with top management, and consequently to obtain budgets, which they then have to put to good use.

How do you create this virtuous circle?

A Saas-based, adaptable and collaborative platform, Tenacy gives CISOs greater visibility thanks to clear, operational and strategic indicators, while relieving them of time-consuming and worthless tasks. Designed to provide greater consistency, it also enables alignment between operations and objectives.

Contact us