What is the purpose of a cybersecurity program, anyway? If we could all just agree on the answer to that question, life as a security leader would be so simple. If we could, as a profession, take the time to tell everyone else what the answer SHOULD be, that might bring some clarity to why we do what we do. But few people are asking this question, and the security profession is keeping quiet.
As is always the case in cybersecurity, the answer is:
It depends on who you ask.
The Board would like to think that the cybersecurity program mitigates the worst of technology and information risk, minimizing the impact of a cyber event, preserving reputation, satisfying regulators, and generally allowing a business to continue as planned. Resilience.
The CEO and the C-Suite wants the cybersecurity program to protect against Bad Cyber Things. This could be a breach of the company’s technology, but it could also be protecting the supply chain. They want the cybersecurity program to be as cost-effective as possible, and unless the company is itself a “security company”, they would love to not have to talk about it too much. If the company IS a “security company”, the c-suite still doesn’t want to talk about their own security, they just want to talk about what they do for their customers. Defense.
The Finance folks want to know the Return on Investment (ROI) for the cybersecurity program, and continue to be flummoxed to learn the only return is that nothing happens, and that the security team wants the finance folks to quantify the value at risk. Efficiency.
The Legal and Compliance people want the cybersecurity program to comply with laws and regulations, and are frustrated that most cyber laws are vague, ambiguous, and contradictory. Most of them didn’t do any technology study in undergrad or law school, and are mildly annoyed that the security team doesn’t have a law degree. Compliance.
The IT folks want a whole bunch of things, but mostly to not have to think about the security program at all. They know they need it, but would like it to be automated, easy and/or invisible. They would like the security team to be accountable for all security things, but also don’t…