Best Practices Q&A: The importance of articulating how cybersecurity can be a business enabler

By Byron V. Acohido

The technology and best practices for treating cybersecurity as a business enabler, instead of an onerous cost-center, have long been readily available.

Related: Data privacy vs data security

However, this remains a novel concept at most companies. Now comes a Forrester Research report that vividly highlights why attaining and sustaining a robust cybersecurity posture translates into a competitive edge.

The report, titled “Embed Cybersecurity And Privacy Everywhere To Secure Your Brand And Business,” argues for a paradigm shift. It’s logical that robust cybersecurity and privacy practices need become intrinsic in order to tap the full potential of massively interconnected, highly interoperable digital systems.

Forrester’s report lays out a roadmap for CIOs, CISOs and privacy directors to drive this transformation – by weaving informed privacy and security practices into every facet of their business; this runs the gamut from physical and information assets to customer experiences and investment strategies.

Last Watchdog engaged Forrester analyst Heidi Shey, the report’s lead author, in a discussion about how this could play out well, and contribute to an overall greater good. Here’s that exchange, edited for clarity and length.

LW: This isn’t an easy shift. Can you frame the barriers and obstacles companies can expect to encounter.

Shey: A common barrier is framing and articulating the value and purpose of the cybersecurity and privacy program. Traditionally it’s been about focusing inward on securing systems and data at the lowest possible cost, driven by compliance requirements.

Compliance matters and is important, but with this shift, we have to recognize that it is a floor not a ceiling when it comes to your approach. Building your program and embedding these capabilities with a customer focus in mind is the difference. You are trying to align business and IT strategies – and brand value – to drive customer value here. This is a key factor for building trust in your organization.

LW: How can companies effectively measure the success of cybersecurity and privacy integration into their operations?


Shey: This is something that calls for a maturity assessment. By understanding the key competencies required for this type of shift, organizations can better gauge their current maturity and identify capabilities they need to shore up to further improve. These key capabilities fall under the four competencies of oversight, process risk management, technology risk management, and human risk management.

For example, process risk management capabilities include how well the organization implements security and privacy in its customer-facing products and services as well as its own internal processes. It also covers the extension of security and privacy requirements to third-party partners and the ability to respond quickly and effectively to external questions from stakeholders such as customers, auditors, and regulators.

Within a maturity assessment like this, you can start to hone in on areas of improvement. If you’re doing a particular activity in an ad-hoc way today, establishing a repeatable process for it helps you push to the next level of maturity.

LW: Cultural change is acutely difficult.  What should CIOs and CISOs expect going in; what basic rethinking do they need to do?

Shey: Re-examine their own relationship first, specifically the trust and empathy between CIO and CISO. You need to be partners in driving this. If the CIO and CISO are operating in silos, and do not have shared vision, goals, and values here, it will make broader organizational cultural change difficult.

LW: Some progressive companies are moving down this path, correct? What have we learned from them; what does the payoff look like?

Shey: Yes, and this goes back to a point I made earlier about a key outcome of building customer trust in your organization. Trusted organizations reap rewards. Our research and data on consumer trust have proven this. Customers that trust your firm are more likely to purchase again, share personal data, and engage in other revenue-generating behaviors.

There is also a benefit of stronger business partnerships. We operate in a world today where your business is the risk and how you adapt is the opportunity. Companies view it as a risk to do business with your firm, whether they’re purchasing products and services or sharing data with you. Your ability to comply with partner’s or B2B customer’s security requirements will be critical.

LW: What approach should  mid-sized and smaller organizations take? What are some basic first steps?

Shey: Resist the urge to go buy technology as the first step. Emphasize strategy and oversight of your cybersecurity and privacy program, because you can’t embed the foundation for what you have not built yet. Align with a control framework as a starting point.

This will be your common frame of reference for connecting policies, controls, regulations, customer expectations, and business requirements. Recognize that as you mature your program, a Zero Trust approach will help you take your efforts beyond compliance.

Conduct a holistic assessment of technology and information risks to determine what matters most to the business, and identify the appropriate practices and controls to address those risks.

Set clear goals, such as a roadmap of core competencies to build and milestones. Identify clear lines of accountability to help make it transparent as to who is responsible for what, making it clear how each person on the team contributes to the program’s success.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone