June 9, 2016
Mike-Edlund-Large
By Mike Edlund, CISM

A recent survey* was conducted by PricewaterhouseCoopers (PwC) and asked 9600 C-level leaders about obstacles to effective cybersecurity. The barriers identified in PwC’s study include:

  • Insufficient funding for capital expenditures
  • Lack of or ineffective CEO leadership
  • Absence or shortage of in-house technical expertise
  • Insufficient funding for operating expenditures
  • Lack of an effective information security strategy
  • Lack of an actionable cybersecurity vision or understanding
  • Lack of or ineffective CIO leadership
  • Poorly integrated or overly complex information/IT systems
  • Lack of or ineffective Security Chief (CISO or others) leadership

PwC found that sometimes different C-levels have diverging views on how strong a barrier is. For example, one item, Absence or shortage of in-house technical expertise, was viewed more strongly as an obstacle by CEOs and CIOs, but the CFO did not view as strongly.

Let’s look at breaking down these barriers – we’ll group some to address collectively.

  • Lack of an effective information security strategy
  • Lack of an actionable cybersecurity vision or understanding

We’ve found that having a common language to discuss and create strategy and vision for cybersecurity or information security at the company’s executive levels breaks down these barriers. For all C-level and senior leadership, conduct strategy sessions that revolve around the information security processes and use the process lens just like the rest of the business looks at its operations. Looking at how well processes are running (as-is) and how they can be improved (to-be) will let all parties assist with and provide input on good strategy and goal setting, just like the rest of the business. Looking at information security processes from this perspective lets information security become and be understood as a business enabler, not the classic department of “No!” from the past.

  • Lack of or ineffective CEO leadership
  • Lack of or ineffective CIO leadership
  • Lack of or ineffective Security Chief (CISO or others) leadership

Using the above common language approach (viewing cybersecurity through the process lens) should provide all three leaders with language and understanding that can help them have an equal understanding. When each has common understanding about and a language through which to view information security and its strategy, leadership easily begins speaking the same language and addressing the most important decisions collectively.

  • Insufficient funding for capital expenditures
  • Insufficient funding for operating expenditures

Conducting a risk assessment, compliance assessment and capability assessment by competent internal or external parties helps to provide this supporting information for investments. Regardless of whether results and gaps are viewed through a risk, compliance or capability lens, gaps or findings with priorities for improvements should include funding for new technology, new staff efforts or ongoing efforts appropriately captured assists C-level leadership understand needs for information security investments. A strong review during an assessment, whether conducted internally or by a third-party, should include findings that include costs for addressing information security program gaps.

  • TrustMAPP-ExecutivePlanningAbsence or shortage of in-house technical expertise

A solid team capability assessment will review cybersecurity team member responsibilities and roles for any of the assessments mentioned previously (risk, compliance or process-based). Findings will lead to leadership understanding where there are gaps in addressing the cybersecurity program’s needs through its people. As mentioned above, solid assessment results should provide funding estimates for additional training or personnel to meet developing or ongoing requirements of the security program. As mentioned above, review of cybersecurity expertise, whether conducted internally or by a third-party, should include findings that include costs for addressing cybersecurity program personnel gaps.

  • Poorly integrated or overly complex information/IT systems

This one may require review from various perspectives to reduce complexity or improve integration. Integration may be improved through the above approach using process as a common language between cybersecurity and the C-level. Understanding what is needed between information security and the business should improve through this common language approach. Further review through risk, compliance or process-based assessment should tease out issues around this barrier. Risk may find that poorly integrate systems show frequent downtime or failures, increasing risks due to unavailability of systems. Compliance may find that poor sharing of compliance-specific information between systems or high costs related to complying with a regulation due to system complexity show where improvements will be needed.

To break down these barriers for your information security program, look at what SDS’ Maturity Assessment, Profile, and Plan (MAPP) approach can provide for you.

*Survey: http://www.pwc.com/us/en/view/issue-15/cybersecurity-business-priority.html