Embracing a Risk-Based Approach to Cybersecurity: Beyond Control-Oriented Strategies

Post Views: 1

Effective Cybersecurity Strategy: Shifting Focus from Controls to Business Outcomes

In today’s rapidly evolving threat landscape, security leaders must reevaluate their approach to strategic goal-setting. Devin Rudnicki, CISO at Fitch Group, emphasizes the importance of aligning security objectives with corporate priorities, rather than solely focusing on implementing controls. This approach enables security teams to demonstrate measurable progress and justify investments in terms of business value.

The Biggest Mistake in Defining Strategic Goals

Rudnicki identifies the biggest mistake security leaders make when defining strategic goals: failing to tie objectives to business outcomes and secure enablement. Instead of focusing on implementing specific controls, security goals should be framed around outcomes that protect revenue, customer trust, and uptime. At Fitch, Rudnicki has transformed the information security strategy to be outcome-based, aligning with corporate objectives, addressing key cyber risks, and adhering to industry standards.

Balancing Innovation Speed with Security

When faced with the challenge of balancing innovation speed with security, CISOs must present decision-makers with mitigation options that lower risk while enabling innovation. This can be achieved by implementing new tools in a secure “sandbox” to validate potential business benefits and understand the risk profile. Rudnicki stresses the importance of proportionate mitigation measures, ensuring that safeguards are commensurate with the value of the assets being protected.

Key Strategic Metrics

In terms of metrics, Rudnicki advocates for tracking three key strategic metrics: value, risk, and maturity. Value metrics demonstrate the return on investment (ROI) or objective key results (OKR) of major cybersecurity investments. Risk metrics track enterprise cyber risk over time, enabling executives to make informed strategic decisions. Maturity metrics measure cybersecurity maturity scores against target scores, providing a benchmark for progress over time.

Maturity models can be a useful tool in measuring security strategy success, but they should not be the sole measure. While they provide a shared language between security and leadership, they can also lead to checkbox thinking. Rudnicki emphasizes that maturity does not equal 100% security and that even the most mature security programs can experience cybersecurity incidents.

Automation and Human Judgment

When deciding what to automate, teams should consider not only risk reduction but also whether automation creates capacity for people to exercise judgment, develop expertise, and engage more deeply with the business. Human-in-the-loop decision making remains crucial for high-risk decisions and accountability, particularly for tasks involving people. Effective automation focuses on repetitive, routine tasks, freeing teams to focus on strategic, higher-value work.

A Successful Cybersecurity Strategy

Ultimately, a successful cybersecurity strategy requires a shift in focus from controls to business outcomes. By aligning security objectives with corporate priorities, presenting risk in terms leadership can act on, and balancing innovation speed with measured risk, security teams can demonstrate measurable progress and justify investments in terms of business value.