Map security posture to organisation’s business objectives
As organisations go through their digital transformation journey, cybersecurity function needs to be perceived as a business enabler. By aligning your cybersecurity strategy with your business objectives and applying the right level of cybersecurity controls, it enables your business towards regulatory compliance, business resiliency, maintaining brand reputation and market trust.
In order to achieve this alignment, it is necessary to have a champion with the cybersecurity experience, technical foundation, strong business acumen and excellent communications at C-level or Board level. Unfortunately, such talents are scarce. Organisations who cannot afford a full-time internal champion or CISO could leverage on a CISO-as-a-Service instead.
To mitigate risks, we apply the appropriate controls or risk treatment. Very often, the decision on what level of risk treatment to apply is based on an organisation’s willingness to accept a loss, or in other words, its risk appetite. Typically, the cost to protect an asset should not exceed the projected loss of the asset. Therefore, it is crucial to identify your organisation’s “crown jewels”, their value and understand what does it take to protect them.
In fact, at Lumen, we often find ourselves helping organisations, both large and small, to develop the strategy in a manner that enables them to optimise their security investments and protect the “crown jewels” using a top-down, risk-based approach.