quite nicely to the challenges of parenting a teenager .
Just because we know what is best for our kids does not mean they will always do what we tell them . But if we can effectively illustrate the value behind our advice – and that we are offering it with their best interest in mind – there is a far better chance it will translate to positive action .
The same goes for CISOs tasked with building a culture of cyber resilience . We cannot expect standard sets of policies or routine training to automatically translate into 100 % staff-wide security compliance . For internal engagement to resonate , it must be scaled to the individual end user and designed with personalisation in mind – offering valid reasoning that a non-technical workforce can understand .
When given a paved road of proven protocols to follow , employees will be more inclined to follow protocols and keep the organisation safe . Compounded at a macro level , it creates a dynamic where security awareness is ingrained into dayto-day workflows as part of an overarching company culture .
CISO success
As a CISO myself , I will be the first to acknowledge that engaging the C-Suite on cybersecurity matters is not always smooth sailing . I once met with a CFO to secure her buy-in for a particular security business case we wanted to adopt . Just a few minutes in , she stopped me and said , Frank , we get it . We know our cybersecurity measures need to be top of mind . For a fleeting moment , I began to feel the meeting was headed in the right direction .
Except then came the dreaded B word . She continued , but what we really want to know is , are we spending too much ? Are we spending too little ? How are we doing compared to our industry peers ?
If I were not prepared to address her concerns , the whole business case we were proposing could have been derailed , resulting in unaddressed issues that could leave our business at risk . These are the kinds of questions that C-level executives are asking their security leaders every day .
To effectively answer them , keep these five areas of focus in mind .
# 1 Right framework
Select an industry recognised framework that not only aligns with your organisation ’ s risk profile , but also demystifies cybersecurity measures to the C-Suite and Board . The NIST Cybersecurity Framework , for example , helps simplify the complexities of security in a way that can be more easily consumed by business leaders .
# 2 Measure maturity
It is not enough to simply adopt and leverage a security framework . As you implement its
Deciphering the impact of cyber risk requires visibility into the organisation ’ s crown jewels . various controls , make sure to baseline and measure the maturity of your top security capabilities . That way , progress can be monitored over time .
# 3 Benchmark peers
An organisation ’ s level of cyber spend should be relative to its risk profile . But as your maturity improves , identify how the organisation ’ s security architecture is performing in relation to the sector at large – that can help determine if you are spending too much or too little .
# 4 Optimal target
Organisations on the high end of the maturity spectrum may decide to compare themselves to a more mature industry as a stretch goal . But even if you stay within your industry for comparison purposes , set a maturity goal that is always based on a deep understanding of business risk .
# 5 Measure effectiveness
Even with a well-defined framework , maturity model , benchmark , and goal in mind , one key question remains : are you using your limited resources effectively ? As organisations deploy , maintain , and operate their security programme , continuous measurements and assessments should be non-negotiable . •
48 www . intelligenttechchannels . com