The last two years have put security leaders, their teams, and their programs to the test — and very much in the spotlight. Boards and executives now understand how closely trust is tied to business resilience and viability and are increasingly looking for the unique guidance and perspective a security leader has to offer. How should security leaders seize this spotlight to move their programs forward? It often happens one conversation, one process change, and one investment at a time.
According to Forrester data, security leaders spend, on average, 65% of a typical workday on nontechnical and operational activities. To help CISOs be more purposeful in their focus on the skills and actions needed to change the security conversation in their organizations, and to enable the key levers of customer trust, we built the Forrester High-Performance Security Program Model: a distillation and continuation of the work Forrester’s done with our clients over the years to embed security into the business foundation. It’s not a set of boxes to check but a representation of continuous efforts on the part of security leaders to put the business and the customers they serve at the center of their programs. These efforts are critical to changing security cultures and, in turn, earning and maintaining customer trust.
Build The Foundation Of A Trusted Business With The Right Program
High-performing security programs deliver the foundation of the trusted business by focusing on the levers of trust they affect the most: competence, integrity, and empathy. Our research helps security leaders use these levers to align their programs, refine their organizations, and empower the business to go to market on trust. The current research portfolio will help security leaders:
- Better understand themselves and how their security leadership type fits with their firm, its current needs, and corporate goals.
- Hit the ground running in their first 100 days in a new leadership role — or hit the reset button in their current role.
- Design and implement transformational security awareness initiatives that win the hearts and minds of execs, employees, and customers alike.
- Cast a wider net to recruit diverse security talent.
- Communicate more effectively with the board by creating meaningful, educational, and engaging content with empathy for its members.
- Leverage cyber risk quantification to translate security outcomes into financial terms.
- Select a consulting firm to help streamline time-consuming tactical activities.
Next, Proactively Engage
Security leaders must proactively engage with the business to securely evolve its practices to meet customer expectations and gain competitive advantage. Our new research will give security leaders the insights to continue the security conversation across topics including:
- Organizational structure. As security, risk, and privacy rose in importance over the last decade, technology organizations have evolved organizational structures and delineated security roles and responsibilities across functional teams, often separating the governance of information security and privacy from more operational tasks. We’re putting the finishing touches on a customizable RASCI chart that security leaders can use to better delineate lines of accountability across increasingly complex and distributed organizations.
- Business alignment. To take business alignment from a near-hackneyed term to a living, breathing reality, security leaders must invest in a living, breathing person (or people) in the BISO (business information security officer) role. These people will work directly with business leadership (ideally as a member of a business unit’s management team) to understand cybersecurity compliance and risk management needs and bring them back to the security team to develop solutions to meet the needs of the business. Stay tuned for a detailed description of this increasingly needed role.
- Talent retention. Attrition and the increasing amount of time needed to backfill critical security roles leaves security programs vulnerable. Implementing a formal succession planning process mitigates risk and increases employee satisfaction and retention. “Succession Planning Is A Business Resilience Imperative,” based on a leadership track session at Forrester’s Security & Risk 2021 event, will provide security leaders with best practices for launching and maintaining a security-specific succession planning program in their organizations.
- Greater collaboration. An upcoming report, also based on an engaging presentation by Jeff Pollard at Security & Risk 2021 (entitled “Security Matters. Now What?”), will detail how security leaders handle the increased importance and visibility — the aforementioned spotlight — of cybersecurity across the organization.
So what does leading security in 2022 mean to you? The team leading our research focused on security leaders and their programs — Jinan Budge, Paul McKay, Jeff Pollard, and yours truly would be happy to speak with you about your leadership priorities, plans, and related presentations. Reach out to your account team to schedule a guidance session.