Changing the Conversation: Strengthen IT & Business Collaboration to Reduce Risk

Business Insights
Written By Greg Virgin

If it seems like your IT and security leaders and your business executives are speaking different languages, you’re not alone. When one group talks about IT assets or cybersecurity tools while the other talks about functions like customer service or logistics and shipping, conversations about topics like budget and planning become difficult and unproductive. In order to bridge this gap, IT and security operations need to transition from securing computers to securing the lifeblood of an enterprise. 

This article will cover how IT and security groups can evolve from talking about processes to demonstrating how they support and provide resilience to the organization. There is a better approach, one that aligns with recent regulations and is more closely tied to how your organization operates. 

This blog is an overview of what was discussed during our recent webinar. You can watch the webinar replay here.

Transitioning to a business-centric approach

On the IT and security side, does the typical conversation in your organization sound like:

  • We patched 20 servers

  • We scanned our environment and we found 100 more software vulnerabilities

Meanwhile, on the senior leadership side, does the conversation sound more like:

  • Were we affected by the recent cyberattack that hit our supplier?

  • How much cyber insurance do we need?

The difference between these two points of view is that the business concerns are the existential threats that will stop an organization from being able to function. You can’t address those one server at a time. A patch at a time. You need to change the conversation and start thinking and operating at the same level as the existential threat. 

Changing the conversation

You need to shift the focus of security conversations to business impacts. 

Around third-party risk

Instead of focusing on, “We patched 20 servers,” focus on, “We found and fixed a risk related to a third-party supplier in our logistics operations.”

The hardest thing about this statement isn’t fixing the risk, it’s knowing which business function or process the third-party supplier supported and how your infrastructure connected to theirs. Years ago, the NotPetya attack devastated many large enterprises because they didn’t understand the points of presence for their third-party providers and the potential impact on their infrastructure. That context is what’s important. 

Around incident response

Rather than saying, “We detected an intrusion,” focus on, “We have proof that there was no penetration to our key systems, and no personal data was accessed.”

Incident response is often treated as an all-or-nothing thing. Every threat is addressed as if it is the same level of importance, and there’s very little triage. This is another area where the conversation needs to be changed because the most important thing to the business is to know what was impacted and how bad the impact was. 

Around disaster recovery

Organizations should run disaster recovery tests almost constantly, focusing on specific business functions rather than the entire organization at once. Understanding what it takes to recover high-priority business capabilities and testing those regularly ensures preparedness. 

Being resilient requires more than a general disaster recovery plan; it needs to be regularly tested to ensure it works. Which, unless you’ve got the necessary contextual information and insights into your infrastructure, you can’t. 

Around cybersecurity

Efficient security isn’t about spending more; it’s about protecting what needs the most protection. Organizations should understand what the important business operations are, what they mean to the business, and realign security resources around them.

How do you get there? 

Start by shifting your focus 

Understand where your organization's “crown jewels” are and what they mean to the business. Then you can assess their risk and act on that information intelligently. 

In order to shift your focus, you need data. You need to understand your hybrid, cloud, and on-premises environments and how they align with your business operations. This is not a problem that you can solve with a lot of consultants or members of your team doing manual analysis and creating spreadsheets and inventories. What you need is automation that can detect your business processes and functions and give you the technology you need to be able to assess their risk. Your ability to shift the way you talk about security and IT is to leverage data and technology. 

Multiple regulations and standards recommend this approach, including the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), the MITRE Corporation, the Federal Financial Institutions Examination Council (FFIEC), and the Digital Operational Resilience Act (DORA), to name just a few. 

Identifying assets within an organization can be a daunting task, so the organization should first identify the services it provides. It can then identify assets by the services they support and divide the body of assets into manageable pieces.
— CISA CRR Supplemental Resource Guide Volume 1

If you define what your IT infrastructure does based on what part of your IT organization owns it – for example, the Windows server team operates the Windows servers – you are probably not aligned with these standards. 

If the way that you identify who is responsible for what – regardless of how your business is organized – is based on who purchased things or who is paying for things, you’re probably not aligned with these standards. 

Every organization is made up of a collection of business services or functions that depend on an ecosystem of different systems that depend on one another and on third-party dependencies. All business IT is this cluster of internet resources, external third parties, SaaS platforms, stuff running in your cloud, and stuff running under your desk. In order to make sense of, and create the environment that these standards expect, you have to automate your understanding of your infrastructure.

Understand the connection between infrastructure and business

First, you need to understand the extent of your infrastructure. Employ comprehensive asset detection that continuously monitors how different components interoperate and automatically discovers all assets within your infrastructure. This needs to be collected into an asset inventory that includes not only the assets you own and manage but also those provided by third-party vendors and shadow IT that may have been set up without centralized oversight.

Once you know the extent of your asset infrastructure, you need to assess which business functions are supported by which components of your IT infrastructure. Leveraging automation will remove the burden of manually filling in and analyzing details, and identifying dependencies and vulnerabilities automatically. This capability is akin to having a real-time map of how your IT infrastructure supports various business operations. For example, if you're tasked with disaster recovery or cybersecurity operations, this system can pinpoint exactly where to focus your efforts to maintain business continuity and mitigate risks.

Once you understand how your infrastructure supports your business functions, you need to evaluate their resilience. By evaluating how hardened, redundant, and segmented your IT assets are, you can highlight areas with the highest potential for damage as well as those that deliver the most value. This insight is crucial for digital transformation initiatives, enabling you to focus on the most impactful areas. Similarly, for cybersecurity operations, understanding where to establish robust perimeters is essential for safeguarding your organization.

Once you have this, it becomes a powerful tool for all organizational levels. It can serve as a comprehensive guide to your IT environment, providing clarity into any segment of your business operations. Whether you need to explain the significance of a particular system to a stakeholder or prioritize IT initiatives, once you know the above, you are empowered to make informed decisions. This ability becomes increasingly powerful as the size and complexity of your organization grows. It not only ensures more efficient and effective IT operations but also aligns IT efforts with overall business goals, driving better outcomes and reducing risks in today's dynamic landscape.

Better risk reduction through prioritization

Cost-effective, business-focused cybersecurity

Let's talk about how prioritization improves multiple cybersecurity functions including, but not limited to, vulnerability management, attack surface management, incident response, and improving the effectiveness of your overall cybersecurity technology stack.

Vulnerability management is straightforward: patch what matters most to the business. However, your vulnerability management group has a limited number of hours each day. Your team needs to focus on the most critical areas. Knowing which assets support your critical business functions allows you to prioritize the work where it matters most.

Having a detailed view of the intricate relationships and dependencies within your organization also enables comprehensive attack surface management. This context is invaluable for cybersecurity experts who need to protect specific parts of the environment. 

For incident response, you need to focus on what will support the business’s capability to function and not fail. Knowing where to focus during incidents like ransomware attacks is crucial. You need to prioritize which critical areas need to be addressed immediately to ensure business continuity.

Many organizations deploy various tools without assessing their coverage or impact. Knowing your business priorities allows you to comprehensively evaluate these tools, ensuring they contribute effectively to your overall security posture.

These are all things that you are supposed to be doing according to cybersecurity regulations and standards. You’re supposed to have the organization divided up into business functions and you’re supposed to be prioritizing them. This is a moving target, which makes it difficult to do manually. The list of assets that support a business function can drift 5-15% every month. You can’t just do this exercise once, put it in a runbook, and forget about it. Because if you wait three months, it’s out of date. So it’s very important that you have a real-time updated picture of your company’s operations.

Proactive IT keeps the business running smoothly

Understanding what areas of your infrastructure support critical business functions and processes allows you to prioritize scarce resources. This helps you improve IT projects ranging from disaster recovery and digital transformation to mergers and acquisitions due diligence and quantum computing. 

Viewing disaster recovery through a business lens means prioritizing business functions. It’s the difference between focusing on recovering payroll systems first versus just generally bringing computers back online. This approach ensures that essential operations are restored promptly so that the core functions of the business can keep operating.

During a crisis, prioritizing communications infrastructure is crucial. Ensuring this is back online first allows effective crisis management, because in order to manage a crisis your team needs to be able to communicate with each other about the crisis and coordinate remediation actions.

Understanding the current state of your infrastructure is also vital for successful digital transformation. Many times digital transformation projects fail because organizations do not fully understand how their infrastructure is structured in the first place, much less how it supports the function that is being transformed. Having this knowledge from the beginning gives you the ability to look at your most important functions and more accurately plan how to improve them, improving your chances of success.

This also helps with the due diligence process for mergers and acquisitions. Integrating an outside entity into your internal systems presents significant risks, not just from the challenges that come with integrating new technologies and systems, but also from shadow IT. The problem with shadow IT is not just in detecting it, but knowing whether it’s an issue or not. Knowing this is also crucial for a smooth integration process.

Recently there have been US government publications on how to approach quantum readiness. It sounds like science fiction, but the time is upon us to start to assess this quantum leap that technology is about to take. The more intellectual property or sensitive data your business relies on, the more this matters to you. You don’t want to find out in the future that your intellectual property was stolen because you weren’t ready. Knowing your business’s critical functions, communication methods, and encryption standards provides you with a roadmap for quantum readiness. Addressing this problem early is more cost-effective, so businesses with sensitive data or intellectual property should be planning how to address it now.

Real compliance for real results

Regulatory compliance is a significant expense for large organizations. A steady stream of new regulations adds to an already large burden, forcing you to constantly improve. Automation is key to achieving persistent compliance, providing real-time updates on asset inventories and their business impacts. 

Looking at compliance from the viewpoint of transitioning to a business-centric approach, you need an asset inventory. That asset inventory should automate not only collecting the asset information for the inventory but also be able to identify what parts of the business those assets support. It should cover not just the stuff in your data center or in your cloud, but also the stuff on the internet that you interact with, your third parties, and your external suppliers. 

This approach not only meets regulatory requirements but also delivers substantial business value. Deploying systems that provide data about your environment enables your team or consultants to provide more value. This shifts the compliance conversation from a checklist process to one that supports business growth.

Executives understand and trust results

There is immense pressure on executive teams and boards of directors to have increased cybersecurity expertise and accountability. Understanding critical business functions and who is accountable for them is essential for reducing risk. Filling the right seats with the right expertise to reduce risk properly is difficult for any senior leadership team to do effectively if they don’t know what they're trying to protect. 

One-size-fits-all security guidance is ineffective. Each organization’s IT landscape and cybersecurity attack surface is unique, and often the way that they operate is often poorly understood. These organizations were not created by people who sat at a whiteboard and decided how IT would be implemented from the ground up. They evolve organically as IT capabilities are added on as needed. Providing executives with a clear understanding of their environment ensures better resource allocation, risk insurance coverage, and accountability.

Focusing on priorities

By switching to an approach that leverages AI and automation to provide high-quality data about how your infrastructure and business work together and interconnect, you can improve the collaboration between IT, cybersecurity, and business leadership. This not only ensures more efficient and effective IT and cybersecurity operations but also aligns IT and cybersecurity efforts with overall business goals, driving better outcomes and reducing risks in today's dynamic landscape.

Redjack helps you focus on what matters most

Lack of visibility into sprawling infrastructures combined with the lack of knowledge of how it aligns with core business operations poses a significant hurdle as organizations evolve and expand. 

The Redjack cyber resilience platform revolutionizes asset inventory through a business function lens, enabling a deeper understanding of how your infrastructure is interconnected. By deploying sensors across your environment and compiling asset lists correlated with critical business functions, Redjack ensures alignment with organizational priorities. 

With ongoing monitoring and evidence-based insights, Redjack empowers organizations to identify points of failure, make strategic decisions grounded in solid evidence, and confidently create disaster recovery plans and test them. Ultimately, Redjack transforms organizations from a state of uncertainty to one of resilience, equipping them to restore critical business functions seamlessly in the face of adversity.

Contact us to discover how Redjack has helped large organizations achieve genuine cyber resilience.

Join us for our next webinar: Building an Accurate IT Asset Inventory

Greg Virgin
Previous

The Shift From Risk To Resilience
Next

Redjack for Cyber Resilience