Automated and data-driven insights can be key to a CISO’s business approach and to forming an effective cybersecurity strategy. Charaka Goonatilake, CTO, Panaseer, explains why data insights set CISOs free to set tailored strategies more closely aligned to the business outcomes dictated by senior management teams.
If Tim Berners-Lee had given up when his boss wrote the words ‘vague but exciting’ on a document outlining his theory for vast interconnected data networks, today’s business world would be very different.
Thankfully, instead, these networks have spent three decades realigning the tectonic plates on which companies stand. Data now forms the foundations for organisational decision-making. In a security context, it can provide an accurate overarching picture of risk to enable more proactive and prioritised management of human, technological and procedural assets.
For senior security leaders looking to use data more effectively, aggregation and context is crucial. Only with a complete picture of all the enterprise assets, and how they are exposed, together with an understanding of how they map to an organisation’s structure and business objectives, can meaningful change be achieved.
To accomplish this grand vision, however, they need access to data in the first place. Inside large organisations, this is not always easy. In fact, it can prove a true test of the softer diplomatic and communication skills required to be a modern CISO.
This is because the necessary data often exists in a disparate set of silos across the entire organisation; a complex array of security, IT and business systems. With technology imbued in every part of business, getting a comprehensive picture is crucial.
Unfortunately, the gatekeepers of this information often initially view any request from the security team as an open challenge to their ability to operate safely. It is seen as the corporate equivalent of asking chickens to vote for Colonel Sanders. People fear deeper insights will be exploited to pass judgement on their performance.
It is somewhat ironic that personal tensions and human emotions form one of the largest barriers to getting a clearer understanding of risk – a very human problem in contrast to the calculated data-driven outcomes seeking to be achieved.
When broaching this subject, security leaders must be transparent about the intended use for the data, positioning it as a way of effecting a direction of travel for a business looking to decrease risk in the long-term, in order to get buy-in from senior executives as well as their teams. The last thing such an initiative needs to be perceived as, is as a technical task to inventory assets or performance management exercise.
For this reason, managing stakeholder expectations in this early phase of any such process is key. This all starts with making a compelling business case for the initiative with peers, which is as much a test of ongoing communications skill as anything.
Done effectively and couched in simple colourful terms, it is possible to build a narrative that gradually dissolves initial reservations. However, done incorrectly so it appears burdensome and like a test of capabilities on the other hand, and it will only lead to the digging of entrenched positions.
Using automation and data insights to bridge this gap
Automated tools which ingest and consolidate both on-premises and cloud-based data can play a big part in overcoming many of these hurdles.
Ultimately, not only does such an approach smooth the technical aspects of data collection and analysis, it plays a vital secondary role by removing much of the inherent human tension. Of course, in the early stages, the need for people management is still vital to ensure initial access. However, once this is obtained, automation brings a repeatable, unbiased and trusted approach which alleviates fear about how data will be interpreted. Data-owners trust that it has the consistency and independence necessary to prevent incorrect judgements.
Automation also nullifies a lot of the ongoing heavy lifting and can be another tool for assuaging stakeholders. Once the right permissions and access have been obtained and collection has commenced, the resource burden on different business units is removed, allowing them to focus on core competencies.
Once collection is complete, the application of business context to the data can be a powerful mechanism for securing wider buy-in. Mapping financial and strategic outcomes to risk underlines the pragmatic nature of such initiatives for the business as a whole. Helping the data owners understand not only the risk reduction benefits it brings to the entire company, but also specifically to their own departments, should make a non-issue of data collection.
Ultimately, data insights set CISOs free to set tailored strategies more closely aligned to the business outcomes dictated by senior management teams. Automating data collection can play a big part in overcoming the personal tensions which have traditionally dragged security leaders down in this process, providing a trusted, low-friction approach. Automated and data-driven insights will prove to be a vital tool for CISOs to formulate effective cybersecurity strategies, as their role in the enterprise continues to elevate.
Click below to share this article
