7 tough IT security discussions every IT leader must have

Talk may be cheap, but when it comes to IT security, strategic conversations with colleagues, business partners, and other relevant parties can be priceless.

The value of addressing cybersecurity issues through ongoing discussions is getting corporate alignment on effective and robust strategies, says Roger Albrecht, co-lead of the cybersecurity unit at technology research and advisory firm ISG.

“Such discussions ensure the integration of cybersecurity initiatives and resource requirements in the enterprise’s business goals and objectives,” he adds. “The discussions address changing regulatory and compliance requirements, and reveal vulnerabilities and threats for risk mitigation.”

Ongoing IT security strategy conversations should address the organization’s cyber risk and arrive at strategic objectives, Albrecht says. “Such conversations … should conclude with clear actions, benefits, timelines, and the budget and resources required to close gaps.”

For IT leaders looking to establish a more robust cybersecurity strategy, the following seven questions are key prompts for the kinds of in-depth cybersecurity strategy conversations you should be having with C-suite colleagues, business partners, and IT staff.

1. Are our systems adequately modernized for security?

Organizations should discuss ways they can modernize their technology infrastructure to support architectures in which security is built in, not simply bolted on, says Google Cloud CISO Phil Venables.

Legacy systems are often inherently flawed because they weren’t designed to be defensible in the way more modern architectures — typically public or private clouds — are. Venables observes that there have been many cases over the past decade in which enterprises have invested deeply in cybersecurity products yet haven’t upgraded their overall IT infrastructure or modernized their approach to software development.

“This is equivalent to building on sand,” he states. “Without continued focus and investment into IT modernization, organizations will not be able to realize the full benefits of the advances in security, leaving their organization vulnerable to malicious activity.”

Venables recommends that modernization conversations should be held in boardrooms, executive leadership meetings, and business unit–specific strategy sessions.

“Ultimately, as long as the discussions are happening among the right stakeholders, and a roadmap is being activated, the organization is setting itself up for success,” he says.

2. Do we address cyber scenarios to the extent that we should?

Rahul Mahna, partner and outsourced IT services leader at management consulting firm Eisner Advisory Group, believes that scenario-playing with teams and management colleagues can spur useful security insights.

What would happen, for example, if a key client’s business was shut down by a cyberattack? What would be the next steps? “This type of incident-response planning is extremely valuable in our client conversations,” Mahna explains. He suggests that such security strategy conversations shouldn’t be an occasional, one-time discussion, but a series of ongoing, periodic talks.

Beyond regular conversations, Mahna recommends holding a yearly security-focused meeting, combined with an incident-response plan test, to keep key executives and managers up to date on evolving policies, practices, and roles.

Planning what to do when a cyberattack happens is an incredibly valuable asset that should be materially qualified and quantified in a runbook, Mahna advises. “This book should be shared and made available to designated security team members to provide a path so that in the event of a security breach a well-thought-out response plan can be successfully executed.”

3. Have we fostered a culture of security?

Leaders set the tone for their organization’s IT security strategy, says Ryan Orsi, worldwide partner lead for security at Amazon Web Services. “A culture of security, in which individual employees feel empowered to move fast within approved security guardrails, leads to faster innovation cycles, faster business results, and generally happier end customers.”

Organizations that inspire individuals to innovate and move quickly within well-defined security guardrails are the most effective, Orsi says. “If you feel your organization opens tickets to request approvals from your security team before publishing items such as application updates, website updates, and database changes, you’re potentially not operating with a culture of security,” he warns. “By integrating a culture of security across leadership, you will likely feel the difference.”

4. Are we truly up to date on emerging threats assessment?

Cybercriminals never sleep; they’re always conniving and corrupting. “When it comes to IT security strategy, a very direct conversation must be held about the new nature of cyber threats,” suggests Griffin Ashkin, a senior manager at business management advisory firm MorganFranklin Consulting.

Recent experience has demonstrated that cybercriminals are now moving beyond ransomware and into cyberextortion, Ashkin warns. “They’re threatening the release of personally identifiable information (PII) of organization employees to the outside world, putting employees at significant risk for identity theft.”

Ashkin believes that security leaders should strive to relocate as many on-premises infrastructure resources as possible, thereby shifting cyberprotection responsibilities to cloud providers. Additionally, regularly scheduled management conversations should lead to key decisions, such as potential investments in augmented security tools, updated security awareness training materials, additional communication with end users to raise awareness about the latest security threats, and any other relevant steps needed to address and mitigate employee risk.

5. Do we have a truly effective incident response plan in place?

Every enterprise needs to hold a conversation focusing on incident response, recommends Zachary Folk, director of solutions engineering at cybersecurity firm Camelot Secure.

Planning is critical, Folk says. Discussions should include the enterprise’s executive staff, including the CIO, CISO, CTO, the incidence-response team coordinator, and all department heads. The meetings and conversations should lead to the development or update of an incident response plan, he suggests. The discussions should also review mission-critical assets and priorities, assess an attack’s likely impact, and identify the most probable attack threats.

By changing the enterprise’s risk management approach from matrix-based measurement (high, medium, or low) to quantitative risk reduction, you’re basing actual potential impact on as many variables as needed, Folk says. “By using simple Monte Carlo simulations and data gathered from your enterprise you can give senior staff members an actual probability of loss, potential occurrence, and impact.”

6. Are we achieving maximum ROI on our security investments?

It’s time to stop running away from security ROI conversations, states Brian Contos, CSO at IT asset visibility and cybersecurity company Sevco. Enterprises have invested heavily in CMDB, SIEM, SOAR, EDR, vulnerability management, and related solutions, he notes.

“To achieve value for these solutions, enterprises need to ensure that the information flowing into them, such as asset intelligence, is timely, accurate, and deduplicated,” he says. Strong asset intelligence within enterprise-class security solutions won’t just help you better mitigate risk; it will improve the ROI on those investments.

The ROI conversation should result in security, IT operations, and GRC (governance, risk, and compliance) teams gaining better visibility into their environment, Contos says. It should focus on everything that’s good and bad while identifying the areas requiring the most rapid improvement. Prioritized actions can then be assigned to the appropriate teams to address topics such as licensing, process improvement, vulnerability hunting, security control visibility, and regulatory mandates.

“Ultimately, mitigating risk and maximizing ROI should combine when asset intelligence is utilized to enrich the effectiveness of existing tools focused on security, IT operations, and GRC,” he advises.

7. What is the true extent of our financial exposure?

Perhaps the most critical IT security strategy conversation focuses on answering a single question: “What financial loss would our customers face if our IT systems went down?”

The goal of these discussions should be establishing a secure, robust, and resilient IT environment, one that customers can be sure will remain up and running, allowing products and services to be delivered without interruption, says Rob Fitzgerald, field CISO at managed services and IT strategy firm Blue Mantis.

This conversation should occur no less than annually, and ideally before budget season so the CIO and CISO can plan accordingly, Fitzgerald advises. If any major business-impacting events occur, a conversation needs to happen during those times as well, he says. “For example, if an organization is going to sell off a division or acquire another organization, the CIO and CFO have a fiduciary obligation to re-evaluate the fiscal loss customers would face should the organizations’ IT systems become unavailable.”