As part of our Cybersecurity Webinar Series for October’s National Cybersecurity Awareness Month, we presented a webinar recently, discussing the value of establishing a program office dedicated to cybersecurity. Cyber crime is now considered one of the top three risks to an enterprise. Many organizations seek to build security by adding tools and processes on top of their established operations. We explore whether a different approach results in greater momentum and more effective investment.
The Cybersecurity Program Office
Program offices move an organization toward some desired future state. The Cyber Program Office creates and manages the information security workstreams to achieve cybersecurity objectives.
Not all cybersecurity work is IT work. Creating a dedicated office apart from any IT program office ensures the work proceeds unimpeded by other priorities and accommodates the dynamic nature of cybersecurity. The Cyber Program Office’s overall programming activities help define strategy, prioritize work and report progress. In addition, the team raises awareness and educates individuals throughout the organization on how to limit cyber risk.
Cybersecurity Program Office: Approach
The first step in managing cyber risk is assessing where the organization is currently, and defining the desired future state. This exercise exposes gaps in capability and maturity. Then, defining specific workstreams to address those gaps results in a risk-based road map. An agreed-to road map is a critical communication tool for the program, giving visibility to plans, progress, needs and achievements. It tells the story about why and how the current state must change.
Cyber Program Office: Desired Outcomes
Broadly, there are four ways the Cybersecurity Program Office brings focus to cybersecurity efforts. These include program structure, continuous improvement, meaningful reporting and efficient use of resources.
Structure allows the team to approach the work in an orderly manner. As the executive who directs strategy for cybersecurity, the chief information security officer (CISO) plays a key role. There are often business and IT leaders providing support as part of a steering committee. The program manager is responsible for driving overall efforts. Project managers and other key members contribute to workstreams. Team members should be familiar with the program generally, and flexible enough to deliver on a variety of efforts. This structure ensures progress towards the target state over time.
New cyber threats are guaranteed to emerge, as will new opportunities to limit risk. The Cybersecurity Program Office will guide the organization toward improving its response to risk. Assessing the environment, identifying gaps and defining the target state are iterative activities without an end. Defining a target state is essential for analyzing gaps, but there is no final target state.
At the webinar, we offered guidance for communicating how security risks are being managed.
- Have a common language. Strive to be easily understood and be consistent in usage. A term like “high risk,” for example, should be defined rigorously and convey the same meaning to all stakeholders.
- Share the road map at every meeting with senior leaders. This makes it easy to assess changes in plans and achievements since any prior conversation. Meet regularly with senior leadership and provide consistent, meaningful metrics. Show changing values for established measurements to highlight progress and issues. Mathematical and statistical metrics work, even with limited data. Focusing on threats as they pertain to corporate objectives and protecting crown jewels (i.e., key data assets) gets the entire organization aligned on priorities.
- Educate senior leaders about the incident response process before you need to enact it. Many organizations realize they’ve missed this step only after the fact. Organizations who have avoided a security incident thus far can avoid confusion in any future crisis by walking through procedures now.
Efficient Use of Resources
The availability of capable security practitioners is limited. We offered approaches to mitigate scarce resources.
- Trusted partners can help with assessing current state, setting up and managing the Cybersecurity Program Office, developing meaningful metrics and performing other functions. A partner’s resources can address skill gaps and – with broad-based, security-specific experience – influence the team with fresh ideas, sparking innovation.
- Look for opportunities to embed efforts into existing processes and initiatives. Resources from the business units will broaden the perspective of the entire team.
- Select experienced security professionals strategically: assess their expertise in the technologies your organization’s IT strategy designates. Also consider investing in the training of junior talent as an integral part of your organizational long-term cyber talent development strategy. This will offset the high cost of hiring experienced cybersecurity staff for an immediate need in an already tight labor market.
Benefiting From the Program Office
The pressure to manage cyber risk has never been greater. Establishing a Cybersecurity Program Office has accelerated program maturity for clients we know. It sharpens the focus on objectives and helps to clearly define and communicate them. Finally, through continuous focus, consistent reporting and augmented expertise, it fosters a culture of cybersecurity, without which many of the security efforts cannot take root.
To listen to the entire recorded webinar, including the Q&A portion, click on this link.