Cybersecurity Outcomes: What Do We Really Want?
What is the purpose of a cybersecurity program, anyway? If we could all just agree on the answer to that question, life as a security leader would be so simple. If we could, as a profession, take the time to tell everyone else what the answer SHOULD be, that might bring some clarity to why we do what we do. But few people are asking this question, and the security profession is keeping quiet.
As is always the case in cybersecurity, the answer is:
It Depends
It depends on who you ask.
The Board would like to think that the cybersecurity program mitigates the worst of technology and information risk, minimizing the impact of a cyber event, preserving reputation, satisfying regulators, and generally allowing a business to continue as planned. Resilience.
The CEO and the C-Suite wants the cybersecurity program to protect against Bad Cyber Things. This could be a breach of the company’s technology, but it could also be protecting the supply chain. They want the cybersecurity program to be as cost-effective as possible, and unless the company is itself a “security company”, they would love to not have to talk about it too much. If the company IS a “security company”, the c-suite still doesn’t want to talk about their own security, they just want to talk about what…