This article first appeared in Cyber Defense eMagazine – July 2022 Edition.

As rates of cyberattacks continue to increase – and organizations continue to grapple with how effectively they are protecting themselves – companies need to find better ways to safeguard every level of the business. Many are waiting for the next great technology solution to save the day. However, they’re going to be waiting a very long time – as the problem isn’t a technical one. It’s a business issue. And the crux of the matter is that cybersecurity failures are often due to decision making failures, not technology failures.

While organizations have thrown money at the problem for years, the issue is that regardless of how large the investment, cybersecurity incidents are still happening and will continue to happen. History has shown that you can’t outspend or outsource your way out of the situation (regardless of how much you might try).

The right approach is a business-oriented approach – one that balances an organization’s risk appetite with prioritized investments to achieve a desired business outcome.

Putting your business priorities and outcomes at the center of your cybersecurity efforts should be at the heart of a strategic approach to IT and cyber risk management. By creating and managing programs that unity compliance, risk, vendor assessments, and other requirements around business objectives, you can gain the continuous, real-time insight and reporting you need to have data-driven business conversations that will help avoid and mitigate risk and prioritize the investments that optimize security.

As companies continue to struggle to effectively protect themselves, the imbalance between rising threats and low confidence is putting pressure on Security and lnfoSec teams to clearly communicate risk in a way that enables leaders to make informed decisions that weigh risk tolerance, as well as cost and value, which are at the heart of every business decision. Understanding the implications of various options is what enables informed and effective decision making. An organization’s cybersecurity investments shouldn’t be any different.

Organizations should look to cyber risk management solutions that provide a unified, real-time view of risk and compliance that is framed around business priorities. This will provide the contextual insight needed to easily and clearly communicate with key stakeholders to make smart, strategic decisions that will protect the enterprise, systems and data – while earning the trust of customers, partners and employees.

Avoiding and managing risk in the context of business priorities and desired outcomes is imperative for facilitating productive business conversations with business leaders and executives so they understand the cyber implications of strategic decisions.

In a compliance program, controls are simply pass-fail. When the organization is “in compliance,” it has met the minimum requirements under its obligations. But being able to say “we’re compliant” is not the same as understanding to what extent implemented controls have effectively reduced the underlying risks. Compliance programs can be the foundation for establishing effective risk management with just a little more focus.

As compliance demands expand and become more complex, it becomes more difficult for companies to prioritize where to invest resources to respond to growing requirements. A better information security program moves on from “check-the-box compliance” to thinking more about risk and business context. This includes how compliance activities impact the broader organization and its strategic direction and goals.

No organization will ever have ‘perfect’ security. Businesses will always need to balance cybersecurity risks and investments against business value and outcomes. So, the goal should be to build a sustainable program that balances the needs to protect with the needs to run the business.

About the Author

Michael Maggio, CEO, CPOMichael Maggio is the CEO and Chief Product Officer of Reciprocity. He is a serial entrepreneur and intrepreneur with a passion for building product teams. Leveraging leading-edge software stacks and complex data, he enhances existing solutions, creates new products, implements creative revenue models, optimizes operations and delights customers. Over his 30+ year career he has built startup companies from scratch to IPO in the automated testing and security spaces, reinvigorated enterprise product portfolios in F500 companies, such as CA Technologies and FIS, and has delivered cutting-edge products in mobile and location-aware markets. Michael has an MS in Computer Science from the University of Maryland and a BA/BS in Mathematics and Computer Science from Stonehill College.

Michael can be reached online on LinkedIn and at our company website https://www.reciprocity.com/