Share this article on:
Connecting a cyber security program to business objectives is critical to get management buy-in, a leading figure in cyber services said.
Ahead of the inaugural Cyber Security Summit 2023, Kmart Group’s Sam Fariborz said getting management buy-in is the key to the success of the enterprise security program.
This requires cyber security and IT teams to align enterprise security measures with their business’s objectives, the manager of cyber services and program asserted.
“Our executive teams always want to understand the benefits of allocating parts of their budget to any security programs, and how the program could help the business kick goals,” Fariborz told Cyber Security Connect.
Fariborz’s comments preceded her session at the first Cyber Security Summit, where she will be underscoring the importance of enterprise cyber security, the cyber threats for organisations, and how they could mitigate these risks.
Securing management buy-in could transform the organisation because security culture cascades down to cyber security and IT teams and other employees in the organisation, Fariborz reasoned.
Education also boosts awareness and could further embed this enterprise security culture, she added.
Enterprise security includes three pillars (people, processes, and technology) and forming this holistic view is critical to managing data, Fariborz explained.
“Data is power these days, so the goal should be to secure our data through managing our people, processes, and controls,” she said.
“We need to connect the dots between the pillars and see the big picture of how to manage and secure our data in a better way.”
Mitigating risks begins with organisations assessing them to understand the threats.
“Everything starts with assessing and understanding risk before boosting cyber security based on these risks,” Fariborz said.
To assess threats, cyber risk analysts and security engineers must identify the assets in their organisation by using security frameworks and standards, depending on the type and size of the organisation.
“There are some technical and non-technical security frameworks that they can use to identify risks,” she said.
The US National Institute of Standards and Technology (NIST) Cybersecurity Framework is a non-technical framework that can be used to identify risks and the areas that require improvement.
It can also help cyber security teams translate risks to a language that executives can understand, Fariborz said.
These teams could then use technical frameworks like the Centre for Internet Security (CIS) benchmark.
“After using NIST to define their weaknesses, they can use the CIS benchmark to focus on one weakness and see what needs to change and how to implement it from a technical standpoint,” Fariborz said.
“All of these things should be connected together to form a holistic and detailed view of an organisation’s risks, and how they are tackling threats from a technical perspective.”
Fariborz reiterated Cyber GC principal Anna Haggar’s stance that bolstering cyber security is every employee’s duty, not just cyber security teams.
“The culture of an organisation is essential for the success of cyber security programs,” she concluded.
To learn more from Sam Fariborz about how to protect your business’ data in all forms, why enterprise cyber security is so important, and best practices for merging physical and cyber security to keep your data safe, come along to the Cyber Security Summit 2023.
It will be held on Thursday, 1 June 2023, at Hotel Realm, Canberra.
Click here to buy your tickets and don’t miss out!
For more information, including agenda and speakers, click here.