CISO insights on moving from compliance to risk-based cybersecurity programs

Cyber crime and cyber attacks are immediate threats to organisations of any size. Managing it is now a C-suite priority, as businesses grow increasingly aware of the damage breaches can have on both their ROI and their reputation (for example, the recent British Airways data breach crisis). Businesses recognise how vital it is to guarantee an adequate IT budget for their business needs, and the adaptability of an IT network and its security affects how quickly a business may grow.

However, the growing number of public breaches occurring despite this increased visibility has led many Chief Information Security Officers (CISOs) and other high-level security leaders to examine the underlying motivations and assumptions. Security leaders are seeking useful and efficient ways to develop and implement their own programs, and apply risk management procedures.

An IBM Center for Applied Insights report, based on “Identifying How Firms Manage Cyber Security Investment,” an IBM-sponsored study by Southern Methodist University, outlines how CISOs are stepping up cyber security efforts to address one of the most prevalent underlying issues globally—a programmatic focus on compliance instead of risk-based business outcomes.

What we can take from this is that CISOs know that simply complying with regulations is not enough. In this volatile cyber environment, they must constantly assess evolving security risks and plan ahead for how they will adapt and respond. Common questions they now ask themselves include:

How do I transform a compliance-based security program into one focused on risk?

How can I best communicate risk to the organisation and manage expectations?

Do I have the skills, resources and tools to implement the right controls for success?

To address these questions, CISOs are adopting more sophisticated approaches to determine threats, prioritise initiatives, and fund them accordingly. Increasingly, security leaders are using custom frameworks as a strategic tool to adapt their own business plans to suit real cyber security risks.