Organizations are increasingly required to meet evolving cybersecurity regulations and implement new technologies to protect critical assets and keep the business running—but how can they keep up? As senior leaders are looking to understand the cybersecurity-related risks to their business, we often hear the question, “Are we secure?” Unfortunately, what seems to be a simple question cannot be addressed with a simple answer, and “It depends.” is not an answer senior leaders want to hear in regard to their security program.

As the frequency of cybersecurity incidents continues to increase, organizations must be able to quickly identify threats and mitigate the vulnerabilities that are most likely to impact their business while also complying with new regulations. Shifting the question from “Are we secure?” to “What are our cybersecurity risks?” and “How are we managing them?” can be challenging but necessary as we continue to see new breaches every week.

Using these questions as conversation starters, security officers can leverage the interest in cybersecurity to better understand what senior leaders are concerned about and gain a clear picture of the highest business priorities. Understanding these priorities can then help security officers and managers focus on what matters most, enabling them to build a resilient cybersecurity program, rather than simply chasing a checkbox.

Many organizations quantify business risks but don’t know how those risks relate to cybersecurity. By analyzing business risks, such as financial or operational factors, security officers can use this information to identify the organization’s greatest cybersecurity risks. To identify cybersecurity risks, security officers can translate the organization’s greatest business risks through the security triad—confidentiality, integrity, and availability—and evaluate their relative importance. Would the disclosure of data have a greater financial impact than the unauthorized modification of data? What if that same data was unavailable? The answers to these questions will likely be different when asking a healthcare organization about potential disclosure of the PII data they hold, compared to a university looking to publish research data. Every organization will have different priorities and thresholds for acceptable risk, which will require different protections to be put in place. Having a clear understanding of what your organization’s business priorities are will set the foundation for building a strategy to protect what matters most.

Existing frameworks and models, such as the NIST Cybersecurity Framework or the CMMI Cybermaturity Platform, can help organizations evaluate and manage their risks as well as align them back to compliance requirements. Dozens of security standards and regulations have been mapped and aligned to each other, enabling organizations to take a risk-based approach to identifying the cybersecurity outcomes that are most important to them and then utilize the mappings to understand any gaps they may have as a result of new regulations. By leveraging these standards, organizations can avoid having to start from scratch when every new standard or regulation is released and simply map it back to the maturity targets and cybersecurity goals they have already identified based on input from their senior leaders and the risks to their business.

Contributors: