Cybersecurity strategies must align with business objectives, but that's difficult because most boards of directors don't understand security, says Lance Hayden, managing director at the consultancy Berkeley Research Group.
"Security needs to be a part of the corporate enterprise strategy, which means security needs to be part of what the organization uses to competitively differentiate itself from other organizations," Hayden says in an interview with Information Security Media Group. "We're going to see some companies that get really better at defending themselves, and we're going to see other companies that get better not only at defending themselves, but at leveraging what they're doing in that regard to actually compete in the marketplace."
Hayden views cybersecurity as a "strategic intangible" that resembles processes such as talent management or innovation management that are difficult to measure or assess. "They involve things like culture, as well as tangible assets. But no one would probably think that innovation and talent management are not important to an organization's strategic success."
As organizations develop a better understanding of cybersecurity, they'll "start realizing there is so much more to this in terms of what we can do with it strategically than just making sure that things don't break on our watch," Hayden says. "Boards that get ahead of that curve and figure out how to leverage it as an asset are going to see themselves ... pulling ahead of their competitors, because they're going to use cybersecurity as part of their portfolio of strategic assets. Other folks will struggle just to keep those operational fires burning and [not know] how to turn it into something of more value."
The Year Ahead
Hayden predicts cybersecurity strategies will continue to mature in the year ahead.
"In 2016, you're going to see people really realizing how involved, complex and broad security is," he says. "It's not just devices that live in a data center that protect the flows of data. ... It's about the culture of the organization. It's about how they look at who they are, what they're doing and what protecting digital assets means to all of that."
During this interview (see audio link below photo), Hayden also discusses:
- Why cybersecurity is more than just an element of risk management;
- How public scrutiny of data breaches has led to a market demand for better security; and
- How organizations need to move beyond the operational aspects of cybersecurity to improve overall efficiency and productivity.
Hayden has worked in information security for 25 years, beginning his career as a human intelligence operations officer with the Central Intelligence Agency. He's been a security adviser to government, military and enterprise customers across banking and finance, insurance, healthcare, retail, energy and Internet service providers. Before joining Berkeley Research Group, Hayden developed and managed a boutique IT governance, risk and compliance consulting practice inside a global networking and technology company.