4.17.23 > Milinda Rambel Stone

Imagine. Imagine an organization that has visibility into its cybersecurity risks and actively makes sustainable, risk-based business decisions that are measurable and quantifiable. This idea is one that must be created. As an information security community, we need to drive this change for continued business and operational relevance.

Design. We must first start by incorporating security risk in all business and technology decisions. Using an industry respected security control framework such as NIST SP 800-160 and engineering risk decisioning across your security control environment is a logical starting point. By proactively architecting and designing a risk-based approach into organizational security controls, the conversation can now become one of business versus technical complexity.

Security by design further supports this concept. As an architectural design approach and industry best practice, it provides testable security patterns. The approach uses common building blocks that allow security components to become repeatable, reusable and controlled. Additional security by design techniques provides well-architected security strategies, tactics and patterns to become reusable methods for achieving specific quality concerns.

Intersect. Combining security by design practices and organizational cybersecurity risk management program raises visibility of cybersecurity risk to the enterprise level. Fundamentally, this approach also allows for proactive planning and management of security risks versus having to react and adapt to security issues.  Enterprise safeguards can be elevated and  focus on ensuring security risk governance is monitored and managed. Your risk management program now has a holistic, 360-day view of cybersecurity risks, which can be prioritized alongside other organizational risks.

Elevate. Why should the CISO community accommodate security by design and incorporate it into organizational risk management? As our industry matures, we must also change and adapt to the language of business and risk management in our cybersecurity programs. As organizations continue building and buying software and technology, understanding the risk environment using security by design techniques establishes appropriate risk management discipline and further strengthens business-line partnerships.

The need for business changes through software enhancements is increasing steadily and will only continue to grow. This rapid growth increases the possibility of introducing new vulnerabilities or security flaws into the environment if the cyber risks are not properly addressed in a proactive manner. As we transform for business growth, incorporating security throughout the entire business process versus reacting after a software weakness or vulnerability appears is essential.

Business value. While security by design principles are software based, as an industry we can use these architectural patterns and best practices through intersection with a risk-based methodology. Building security into the enterprise environment and managing it as a business capability through an organizational strategic plan leads to a more enhanced security environment.

This proactive, coordinated approach helps organizations focus on the true business risks. It also provides the ability to proactively manage versus having to react to a security risk that has become realized because of a system, process or human failure.

Enterprise visibility. Achieving better visibility into cybersecurity risk requires widening and broadening the cyber risk landscape through defined business processes that provide better oversight. Removing manual or human steps in a procedure wherever possible through process and control automation is essential. Identifying key controls across enterprise business processes and regularly measuring these controls raises visibility and demonstrates operational maturity.

Efficiency. Automate, automate, automate. Gartner recently reported that, “Through 2027, 50% of CISOs will formally adopt human-centric design practices into their cybersecurity programs to minimize operational friction and maximize control adoption.” Automating key business and technical processes helps reduce the repeatability of risks, protects operational data, and provides the ability to monitor proactively versus reactively. Once processes are automated, continual oversight and monitoring become second nature.

Transform. When it comes to core information security responsibility, we as a CISO community need to lead the effort shifting from security control ownership to risk management decisioning. Building cybersecurity into our risk operating model and proactively managing cybersecurity risk as business leaders is our new world. While we must continue to address cybersecurity risk through technology and automation, we must also build stronger awareness in our people and speak the language of the business. Understanding the organizational risks and incorporating information security into the enterprise risk-based model will allow organizations to better manage risk across the enterprise.


Milinda is responsible for the enhancement and operational oversight of an enterprise security program for Bremer. She is an executive security leader with extensive experience building and leading security programs teams. Milinda has more than 20 years of experience in creating and managing large-scale information security programs in technology, healthcare, and financial services. Her passion is about leading and mentoring others on the importance of information security.

You can connect with Milinda here at the Summit https://www.cybersecuritysummit.org/speakers/milinda-rambel-stone/

And on LinkedIn at https://www.linkedin.com/in/milindastone/