Cybersecurity

How aligning cybersecurity with strategic objectives can protect your business

IT teams must educate board members about the potential business impact of cybersecurity breaches.

IT teams must educate board members about the potential business impact of cybersecurity breaches. Image: Freepik.com

Javvad Malik
Lead Security Awareness Advocate, KnowBe4
Share:
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:

Cybersecurity

Listen to the article

  • The threat landscape is changing fast and businesses must prepare for emerging risks.
  • Poor communication between IT professionals and C-suite executives can lead to cybersecurity risks being overlooked.
  • For cybersecurity to be truly effective, it needs to be part of an organization’s culture.

Board members and C-suite executives routinely face the challenge of managing business objectives while keeping investors and shareholders happy. Their priorities are focused on business goals, such as increasing the company's profitability, staying ahead of the competition, looking for the next innovative idea, encouraging employee engagement, and being able to pay dividends to shareholders in a harsh and challenging business climate. Their brains are wired to look at things through a business lens.

Unfortunately, this doesn’t bode well for cybersecurity professionals, whose approach tends to be more narrowly focused on technical goals. Many don’t take the time to understand how they can make their goals align with the company’s overarching strategic objectives. As a result, IT professionals are often unable to demonstrate the net business impact of potential security risks. For this reason, security needs often fly under the radar of executives and board members, only coming under discussion when a major situation has occurred.

Within many companies, the lack of communication that stems from the inability to understand the connections between the technical goals of a company and its strategic aims has led to a major divide between the board and C-suite executives and members of the cybersecurity team. But this does not have to be the case.

Cybersecurity is not a technical problem, it’s a business problem

The threat landscape is changing fast, making it difficult for organizations to stay ahead of today’s emerging risks. Many companies think the answer to this challenge is to throw more money at the problem and implement various security solutions in an attempt to prevent attacks.

However, cybercriminals are generally successful not because their attack methods are so sophisticated that they fool security solutions, but because of fundamental corporate security issues that remain unaddressed. Examples of this include problematic behaviour by end-users (e.g., failing to spot phishing emails), lack of security in the supply chain, and procedural failures where employees might have the right technology at their disposal but aren’t monitoring the right alerts or are unable to correlate events to take the right action.

Have you read?

At its core, therefore, cybersecurity is not a technical problem – it’s a business problem and a behavioural issue. Organizations need to adopt a different approach to security, one which understands that the goals of both IT teams and company executives are interconnected. Security goals and the strategies to meet them need to be set by top leadership, and specific security objectives should also be built into staff performance goals and supplier performance measurements to drive behavioural change. Implementing effective security programmes and improving the security awareness of both employees and partners can help companies better protect their assets and information and avoid the fall-out from breaches, helping them meet their business objectives.

Bridging the communications divide

So how can this be accomplished? To overcome the communications divide between IT and executives, there needs to be active dialogue and continuous engagement between the two parties. More specifically, IT teams must educate board members about the potential business impact of security breaches and help them understand that security goals and business objectives can be strategically aligned.

Before they can accomplish this, however, cybersecurity personnel need to take the time to understand business strategy and objectives and develop a security strategy that supports these. Demonstrating a clear link between security and business goals will go a long way towards ensuring that the board and C-suite executives both understand and will be willing to approve initiatives to enhance corporate security.

Discover

How is the Forum tackling global cybersecurity challenges?

At the same time, board and C-suite executives also need to communicate their security concerns and priorities to cybersecurity teams. It is important that they understand that IT professionals have a technical perspective, and they need to provide them with strategic guidance and support while clearly communicating the company’s business goals. And, perhaps most importantly, they need to accept that poor security is, in fact, a business problem and set their priorities accordingly.

One last tip to keep in mind is that cybersecurity teams should provide half-year and annual information security reports to company executives that demonstrate how agreed-upon security objectives have been executed, and how they have supported business strategy. This will help both the board and company executives see where the security budget is going, and the return on investment that the business is seeing as a result.

Damaged but not broken

Cybersecurity teams and executives within many companies are often at odds when it comes to priorities and goals, causing a tremendous disconnect that leaves companies divided. But while the relationship may be damaged now, it’s not broken – and it can be fixed.

As with any relationship, before attempting to fix the communications process, it’s important that both parties agree that the current method is not sustainable. Each must make an active effort to change their approach and understand the other side’s perspective.

Culture of cybersecurity

In his book Culture Rules!, John Childress says, “You get the culture you ignore”.

For cybersecurity to be truly effective, it needs to weave its way into the fabric of the organization’s culture. Communication is the first step in bridging the gap. This includes transparency and normalizing discussions of challenges, errors, or misconceptions.

With a little give and take from both sides, it won’t be long before these one-time opponents become the best of teammates working towards aligned business and security goals.

Loading...
Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Share:
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Tinder Swindler: How 'romance fraud' became a multi-billion dollar cybercrime

Robin Pomeroy and Sophia Akram

May 24, 2024

About Us

Events

Media

Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum