Usually, when someone writes predictions, it is just before or after New Year’s Eve. But if anything is to be addressed in 2020, it needs to be considered in the budget planning already this fall. And also, I wasn’t planning to talk about the usual attacks and payloads. Instead I wanted to talk about some important trends and influences that are shaping management decisions and priorities for 2020.
3. Aligning cyber risk with business risk
All areas of IT are involved in the yearly chase for their precious piece of the budget. The development within the cybersecurity area is requiring cybersecurity to get a larger part of the budget. But, to be able to compete for budget, cybersecurity managers are starting to engage with, and speak the same language as the business.
Even though cybersecurity efforts rarely can be attributed to innovate and transform the business itself, it is absolutely providing business benefits in managing risk and enabling business transformation. This needs to be quantified.
I recommend you start with looking at the ISF (Information Security Forum) approach, which consists of four phases:
- Establish relevance by engaging to understand the business context, identify common interests and develop combinations of KPRs and KRIs
- Generate insights by engaging to produce, calibrate and interpret KPI/KRI combinations
- Create impact by engaging to make recommendations relating to common interests and make decisions about next steps
- Learn and improve by engaging to develop learning and improvement plans.
You can read more about ISF’s 4 step approach to relevant KPIs and KRIs here. Research organizations like Information Security Forum has plenty of tools and methods that will help you to fast-track your journey to quantifiable cybersecurity.
5. Sunshine or storm – What hides in the Cloud?
Show me an organization that is not in, or considering moving to the cloud. As a CISO, this creates a whole range of new possibilities and challenges. Your job will be to find and offer ways to enable this transformation in a safe and secure fashion.
There are many ways to secure the cloud, as well as deliver cloud-based security, and sometimes there might even be security included in the services you buy. However, never assume anything, and to make sure you don’t get lost in the house of mirrors of SaaS, IaaS, PaaS etc. you should fall back on the foundational principles of cybersecurity. There are different models to work with here, like NIST Cybersecurity Framework and ISF’s Standard of Good Practice for Information Security 2018.