Cybersecurity Alignment: Best Practices and Why It Matters to Enterprises

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Bernard Brantley of Corelight examines why cybersecurity alignment matters to enterprises, while providing best practices to achieve the goal.

Our biggest challenge is not the adversary, nor the management of our cybersecurity organizations. Our biggest challenge is finding and maintaining alignment throughout the organizations we protect. Success for us means creating advocates and evangelists out of everyone in the enterprise. This is our primary aim– when that happens, the rest of our job gets easier. As crisis managers, we understand two things very well. First, paraphrasing Mike Tyson, everyone has a plan until the fight actually happens. If you’ve recently responded to a major cyber event or put your leadership or executive teams through a breach table-top exercise constrained to an hour, you fully understand what this means. Second, the idea of “never wasting a crisis” rarely results in sustained momentum for positive change. There is often a substantial uptick in activity and interest toward remediation and delivering on strategic cyber objectives that significantly wanes as time passes. Cyber program management, while in its infancy, is well documented and contains comprehensive strategies for deriving metrics and driving success within the sub-functional teams. However, creating stronger alignment with the broader business is nascent and requires us all to innovate. We must focus on removing information asymmetries within our organization, elevating the conversation as we speak with partner teams, and leading with empathy by stepping out of our comfort zone.

Cybersecurity Alignment: Why It Matters

Alignment Through Knowledge Sharing

Removing information asymmetries by understanding the (social) network

Our organizations and the information environments within them are living, breathing organisms; the network is their nervous system. Just as the fingers cannot type without a signaling pathway between the brain and hands, information cannot move between parties within an enterprise without a (social) network that connects the two. The security organization has access to nearly all of the data in an enterprise. We employ a variety of tools to monitor environments and endpoints, and we undertake initiatives to discover, categorize and ultimately mitigate risk to the business. Historically, we use this information to make decisions about policy, process, and controls by focusing on the relationship between our organization and the adversary. We can do more. We’re missing opportunities to use that same information to strengthen the relationships between organizations, those who manage them, and those within them.

With a business impact analysis and stated company goals as a reference, we can leverage the identity, environment, and structures that define them as a basis to highlight the information flow between systems and organizations that contribute to business outputs. In the past, I have made false assumptions that because I have the information, everyone else does too. Still, there is immense power in making organization owners aware of how much their activities intersect or diverge concerning access and usage of resources within the company, highlighting opportunities for teams to collaborate. We can recommend the expansion of social networks and therefore reduce the information asymmetry around specific activities, resources, or business impact/goal alignment. We can also demonstrate our position as orchestrators of alignment and connectivity by:

• Getting access to stated company and organizational goals
• Executing a Business Impact Analysis
• Communicating the overlap of identity, resource, and information usage to company and organizational goal execution
• Brokering conversations between newly identified social groups
• Leverage new relationships and understanding to refine policy, process, and controls application

Alignment Through Language

Elevating the conversation by speaking in terms the broader business understands

When I started as a CISO, people kept telling me to speak in terms of the business but were unable to provide a specific strategy for doing so. I listened, learned, and listened some more but still found it difficult to hit my stride in clearly articulating the true value of security in the frame of business outputs. Peter Druker posits that the most important thing to remember about any enterprise is that results exist only on the outside; inside the enterprise, there are only costs. It is imperative that we shift our thinking to security’s impact on results and construct narratives that end with an impact on our customers. For what it’s worth, customers care little about the technical jargon we use to describe our programs, the metrics we use to define success, or the specific tools and techniques we employ to discover and mitigate adversarial risk. What really matters is how we can speak plainly about what we do and the narratives we use to relay a positive impact on the customer experience. Invest in your ability to focus on the end customer and story tell about your program. You will quickly find alignment with the broader business by gaining alignment on results.

Alignment Through Empathy

Stepping out of our comfort zone

We want to move fast. We MUST move fast. But we can only move as fast as the business allows, and oftentimes, even that is too fast. It is not the amount of time required to identify risk, nor is it the amount of time required to increase visibility, orchestrate controls, or engineer detections that bogs us down. It is the ability of the broader business and, ultimately, the culture of the organization to adjust and adapt to the level of change inherent to security maturation.

• Understanding tradeoffs and making them before they’re made for you
• Business resilience over cyber resilience
• Deeply understand the role of your peers

Final Thoughts on Cybersecurity Alignment

By finding and maintaining cybersecurity alignment throughout the organizations we protect, we enable the much-needed shift to a more efficient security posture. Knowledge sharing, common language, and empathy help organizations bridge the security gap that they are unknowingly facing. While alignment might not sound as threatening as a malicious actor, it is vital to the overall health and success of a program. Implementing these changes facilitates more complete cyber program management, helps reduce the risk of mishaps during a crisis, and ensures that we convert our learnings into true institutional knowledge.