Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

All Posts

Facing the Challenge of Aligning Cybersecurity and Business

Most security leaders have been regularly hit with the common question, “How secure are we?” from a business executive or board member. Despite the simplicity of the question, the answer is complex, and requires more than sharing a spreadsheet of the vulnerabilities that have been tackled this week. Quantifying and communicating an organization’s level of cyber risk in terms business leaders can understand remains a challenge for security leaders, one that can impede cybersecurity investments as an organization grows.

Ninety-four percent of global organizations have experienced at least one business-impacting¹ cyberattack in the past year, according to a recent study conducted by Forrester Consulting and commissioned by Tenable. The study, which surveyed 416 security and 425 business executives at mid-size to large enterprises, also revealed a disconnect between the expectations of the business and the realities facing security leaders. As organizations shift to remote work in the midst of the COVID-19 pandemic, identifying cyber threats across the attack surface—and understanding which of these presents the greatest risk to the business—becomes increasingly challenging. In addition, security leaders need to be prepared to justify their investments in the face of a potential economic downturn as the result of prolonged lockdowns. With cybersecurity now a topic receiving increased board-level scrutiny, security leaders can expect to face growing pressure to demonstrate results to the business.

Evolving to Business-Aligned Security Leadership

The study aimed to identify key challenges and help security leaders initiate a meaningful dialog with their business counterparts. From its findings, four key themes emerged:

  • Cybersecurity threats thrive amidst a climate of uncertainty. Forty-one percent of decision makers reported that their firms had experienced at least one business-impacting cyberattack related to COVID-19 in the prior 12-month period, as of April 2020.
  • There is a disconnect in how businesses understand and manage cyber risk. Fewer than 50% of security leaders are framing the impact of cybersecurity threats within the context of a specific business risk. Only half of security leaders (51%) say their security organization works with business stakeholders to align cost, performance, and risk reduction objectives with business needs. Only four in 10 security leaders (43%) report they regularly review the security organization’s performance metrics with business stakeholders.
  • Business leaders want a clear picture of their organizations’ cybersecurity posture, but their security counterparts struggle to provide one. Just four out of 10 security leaders say they can answer the question, “How secure, or at risk, are we?” with a high level of confidence.
  • Cybersecurity needs to evolve as a business strategy. This can’t happen until security leaders have better visibility into their attack surface. Just over half of security leaders report that their security organization has a holistic understanding and assessment of the organization's entire attack surface and fewer than 50% of security organizations are using contextual threat metrics to measure their organizations’ cyber risk. This means their ability to analyze cyber risks and prioritize and execute remediation based on business criticality and threat context is limited.

The study further shows that when business and security leaders are able to achieve alignment, the business benefits are significant. For example, the study found that business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their more reactive and siloed peers. This type of leader is also eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations’ level of security or risk.

Tackling cyber risk and alignment amongst leadership starts with the right combination of people, technology, data, and processes. Some organizations start by appointing leadership: organizations that have tight alignment between business and security are 2.3 times more likely to have a BISO or similar executive. From there, many organizations move to implementing strategic security solutions, analyzing vulnerability data based on risk, establishing an escalation and remediation process, and communicating results and risk in business terms. While there is no “one-size-fits-all” approach to understanding and communicating risk, we can start by working together as an industry to begin formulating the kinds of business risk metrics that will be most meaningful to C-level business leaders.

 

¹“Business-impacting” relates to a cyberattack or compromise that resulted in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.


Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.

Marty Edwards, Tenable
Marty Edwards, Tenable
Marty Edwards is a globally recognized Operational Technology (OT) and Industrial Control System (ICS) cybersecurity expert who collaborates with industry, government, and academia to raise awareness of the growing security risks impacting critical infrastructure and the need to take steps to mitigate them.

As Vice President of Operational Technology Security at Tenable, Edwards works with government and industry leaders throughout the world to broaden understanding and implementation of people, process and technology solutions to reduce their overall cyber risk. As industry Co-Chair of the Control Systems Interagency Working Group (CSIWG), he works to promote and advance OT security across the public and private sectors.

Prior to joining Tenable in 2019, Edwards—a 30‐year industry veteran—served as the Global Director of Education at the International Society of Automation (ISA). While at ISA, he was recognized by his industry peers with the SANS ICS 2019 Lifetime Achievement Award. Prior to ISA, Edwards was the longest‐serving Director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT).

Edwards also served as a program manager focused on control systems security at the Department of Energy’s (DOE’s) Idaho National Laboratory (INL) and has held a variety of roles in the instrumentation and automation fields. Edwards holds a diploma of technology in Process Control and Industrial Automation (Magna cum Laude) from the British Columbia Institute of Technology (BCIT), and in 2015 received the institute’s Distinguished Alumni Award. In 2016, Edwards was recognized by FCW in its “Federal 100 Awards” as being one of the top IT professionals in the U.S. federal government.

Related Posts

Cybersecurity Investment Tax Credits

Cyberattacks continue to grow worldwide, which has increased awareness and concern about utilities, indus...
Bill Lydon Nov 30, 2021 5:30:00 AM

IEC Designates ISA/IEC 62443 as a Horizontal Standard

The International Society of Automation (ISA) and the ISA Global Cybersecurity Alliance (ISAGCA) are prou...
Steven Aliano Nov 23, 2021 5:30:00 AM

Architecture vs. Design

Many Operational Technology (OT) projects start with identifying the requirements and then diving straigh...
Achal Lekhi Nov 16, 2021 5:30:00 AM