What are we trying to accomplish?
Many organizations do security for security's sake. There is a legitimate higher purpose for what they should be doing, but if no one on the team knows the higher purpose, does it matter? It is important to ensure security teams have clarity of purpose. If they can connect their day-to-day work to a higher purpose, they are more likely to do a great job in protecting the organization. If they are going through mundane tasks with little understanding of why, they are more likely to make mistakes.
There are some specific pieces of information that the security leadership should be aware of. First is the relationship between cyber risk and business risk.
Cyber risk is business risk
Cyber risk is business risk. The reason cyber security matters is because it is designed to protect the organization from harm. If a system is breached or information is stolen, the impact is a business impact. If a negligent employee discloses regulated information...
