Intelligent CXO Issue 23 | Page 67

BUSINESS INSIGHTS committee ’ s priority is to ensure that their specific business area is achieving the expected results and delivering a good return on investment for the company .
When it comes to a cybersecurity committee , the main remit is to ensure that the company ' s security strategy and capabilities align with its overall business objectives . Increasingly this means delivering cyber-resilience .
Cybersecurity ' s core function is to protect the value of the business by mitigating cyber-risk , but it ’ s also vital that it is a business enabler . The committee should be monitoring whether your cybersecurity strategy and supporting security stack are delivering maximum ROI – a good strategy should support multiple business value pillars .
A cyberattack can damage your organisation through operational downtime , data loss , regulatory fines and loss of customer trust . shareholders . The cybersecurity oversight committee helps ensure that all security investments and activity are directly aligned to this core objective of improving resilience to protect and enable business value .
The need for more actionable security data
When establishing a cybersecurity oversight committee , use it as an opportunity to implement a more objective , results-driven approach to security .
There is a tendency to pair security with compliance . Many firms base their strategies around complying with regulations like GDPR and frameworks like NIST .
This is an attractively straightforward approach , providing a list of tools and processes to tick off . However , security is never a case of one size fits all , and these frameworks cannot cater to individual organisations ' distinctive risk profiles and infrastructures .
Raghu Nandakumara , Head of Industry Solutions at Illumio
These in turn affect profitability and therefore decrease value for the company ' s
Often what looks good on paper will not hold up against a real threat . Meeting a self-established security standard is meaningless if the standard itself is flawed , and a risk audit may simply fail to find vulnerabilities because it is looking in the wrong places .
To drive real value from your cybersecurity programme , you must go beyond ticking boxes and look at risks unique to your operations instead . Start with the most significant dangers facing your business . What are your biggest threats ? What assets are most at risk if an attacker gets into the environment ? How prepared are you for this happening ?
The oversight committee will want answers to all these questions . This means going through each stage , from the initial compromise to the fallout of a fullblown incident . It is important to test the security controls themselves , rather than just the configurations behind them .
Proactive measures such as red teaming exercises are valuable here . Having a team of professionals acting as a threat actor determines how effective your defences are against a skilled and determined adversary . Further , it will help to highlight any overlooked gaps and vulnerabilities .
www . intelligentcxo . com
67