In this way, you translate security ambitions into clear business goals

Cybersecurity is a technical craft with technical language and seemingly complex goals. For the uninitiated, it’s not always clear what needs to be done and why. This is problematic as most C-Suite tends to fall into this category. How do you do the translation?

Buzzzzz… Sphere 23 has no shortage of trendy words. We shouldn’t call WithSecure’s (the B2B division of former F-Secure) annual security conference in Helsinki that. Rather speak of one coSecurity U.NConference. When we pull out the pressure washer and spray off the thick layer of marketing paint, we discover a vision of safety that comes from experience and a close relationship with partners and customers. In fact, on the stage we see useful tips that you can use yourself.

From technical language to understandable objectives

Specifically, it’s about security and how to deal with it exactly. WithSecure understands where the shoe pinches. “Cybersecurity is often too technical,” recognizes CISO Christine Bejerasco. This awareness is growing in the industry and plays a central role here. “Security specialists are accused of being too technical and creating a gap to the executive level,” says Bejerasco. “Trade terms and products must give way to more understandable business language.”

Technical terms and products must give way to more understandable business language.

Christine Bejerasco, Ciso With Secure

WithSecure’s marketing bozos mention the vision to ensure this Outcome-based security. Does that mean you don’t secure for the sake of security, but link security goals with the goals of your company? What is the core business? And how do you protect them from the most important cyber risks? The approach is not unique: Most security professionals today preach to integrate security more deeply into the enterprise. You have to, because the budget is not infinite and a digital wall around a company is never high enough to guarantee 100% security.

results as a starting point

WithSecure has adapted its business model to this new reality, claims Sivu Silvanto. As head of product marketing, she knows there is a technology jungle to search based on the right mix Results. “Technology alone cannot withstand all attacks,” she says. “It needs to be combined with services.” This combination is achieved by taking outcomes as a starting point for defining a strategy.

What does this strategy look like? Will it be described in a 25-page technical e-book that only highly skilled cybersecurity specialists can use? And how do you intend to get the company on board in this case? Bejerasco provides the tools to create a baseline strategy that serves both as a starting point for the technical story and as a benchmark for discussions with senior management and the board.

Business Model Canvas for Security

It’s at the base Safety Results Canvasthat is inspired by it Business Model Canvas. The latter is based on the work of Alexander Osterwalder and is considered a popular model for developing new business models or for mapping existing models. In other words, it’s a document tailored for less technical and more business-oriented colleagues.

The canvas consists of seven regions. You have to fill it in briefly each time. The end result will hopefully be a document that goes beyond the temporary strategy, identifying challenges and goals and most importantly linking them to the broader corporate mission. This specification is critical to the transition between cybersecurity and the wider enterprise.

Let’s go through the following:

• business results: Your story starts here. What does your organization want to achieve? What are the main goals? In the case of ITdaily, for example: informing readers about the most important developments in the B2B IT landscape and supporting partners in reaching an interesting target group.
• main risks: What are the biggest risks to business outcomes from a digital perspective? In our case, that would be problems with the ITdaily server or a hack in our digital infrastructure. In this case, we can no longer achieve our business goals.
• safety results: Here you do the translation for safety. What targets are required to mitigate the key risks? To illustrate again, at ITdaily this is account protection to prevent unauthorized access, as well as server-level security and patching. “Safety outcomes are the glue that binds safety initiatives to your organization,” says Bejerasco.
• Great Opportunities: What is already happening in the organization that allows you to implement the security outcomes? This could be a cloud migration or another transformation project. You can then immediately include security in it. We don’t intend to do that, but a change from ITdaily to another hosting provider, for example, is an excellent time to take a closer look at the security involved.
• key initiatives: What initiatives are already in place and what are needed to achieve the safety outcomes? “Please note that the canvas should not be larger than A4,” says Bejerasco. “Hold on short.” In our example, we could mention the introduction of MFA, phishing awareness, and a patch and update policy review.
• key resources: What do you need? Break that down into people, process, and technology. Everyone understands this terminology. Summarize what you already have and use, what you need to use and what’s new. The same applies to the processes: which ones are already running well, which ones can be improved and which ones do you need new? And which people will do what? At ITdaily, WordPress would be an option together with Microsoft 365. Our processes for getting articles online and contacting the developers are important, and as far as people are concerned, we have to trust the hosting provider, the developer and the journalists.
• costs: What will all this cost? It’s not always easy to put a price on initiatives, but you can give a hint. For example, what is the salary of the developers at ITdaily? How much does additional DDoS protection with the hoster cost? How much does Microsoft 365 cost?

That’s quite a sandwich, but as you can see, the whole story ties together. You can perfectly execute the reverse movement from cost price to initiatives and results to business goals.

Long-term foundation?

As a security specialist, you can build a technical story on this in your department. Opposite the C-Suite you have a handy document to clearly explain what needs to be done and why.

This is probably not the end of the stocking. Especially for non-technical profiles, cyber risks sometimes remain vague. It’s not for nothing that Orange Cyberdefense has invested the necessary money in a virtual game to let C-Levels experience the effects of an attack on their domain. Something like this remains relevant to this document, but it’s a useful step. As a security expert, creating the Security Outcomes Canvas requires relatively little effort.

matter of trust

The next phase will be technical again. Who will you rely on to carry out your security projects? What projects and services are needed. WithSecure, on the other hand, emphasizes the importance of trust.

“Many companies talk about products, but the most important question remains who to trust,” explains CEO Juhani Hintikka. No matter who you trust, a solution will never come for free. With the Security Outcomes Canvas, you at least have a tool to better explain the what and why of products and services.