Aligning Enterprise Cyber Risk and Business Strategy

Doug Hudson, Senior Director, Cyber Risk Advisory, Coalfire

Most business leaders have a contextual awareness of cyber risk and the threats facing their organizations. However, this contextual awareness rarely contributes to a clear, consolidated directive that can be applied across the organizations. Further, many organizations struggle to align their cyber risk management initiatives and their organization’s business strategies. This creates operational friction between those responsible for managing enterprise cyber risk and the business leaders’ goal of expanding their market presence, maintaining revenue streams, and developing new products and services. What is needed is an approach that aligns enterprise cyber risk and business strategy in a way that communicates how cyber risk can enable the business to expand its markets, protect revenue streams, and securely develop and deploy new products and services.

To these ends, organizations should look to build strategic security partnerships between business leaders and those responsible for managing enterprise cyber risk. Ideally, this is a directive from the executive leadership team, executive steering committee, or the board of directors. This directive would then empower the CISO, CIO, CRO, or others within the organization responsible for cyber risk to build cooperation across the business. At Coalfire, we’ve seen the following approach successfully deployed in a number of organizations:

  1. Develop a Cyber Governance Committee/Team
    1. Members of the committee are derived from business leaders, key stakeholders, and business representatives (i.e., CEO, CLO, CMO, HR, etc.).
    2. Develop a charter including key cyber risk management strategies, KPIs, and the ability to enforce these strategies and initiatives.
    3. Establish business-level reporting on upcoming business activities, market initiatives, and product/service development plans.
  2. Enhance the role of the CISO
    1. Work with business leaders to translate the technical and tactical components of cyber risk in common business terms and align these to business strategies and initiatives.
    2. CIO/CEO empowers the CISO to develop the principles and initiatives for managing enterprise cyber risk across the organization, including mitigation strategies and guidelines.
    3. Develop executive and board of director reporting format and content designed to align business initiatives and cyber risk management strategies and necessities.
    4. Include executive oversight in cyber risk strategy and budget planning to ensure cyber risk investments are aligned to and enable the business to pursue market initiatives.

Overall, it is becoming a best practice initiative to align enterprise cyber risk and business strategy, especially considering the impact cloud and cloud orchestration are having on business operations and supportive technologies. When factoring in continuous integration and continuous development (CI/CD), speed to market, new regulatory requirements, containerization, and new application development practices, it’s imperative that organizations identify opportunities to partner on managing cyber risk.

Doug Hudson


Doug Hudson — Senior Director, Cyber Risk Advisory, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS