“What will be the key security initiatives for 2015 to combat escalating cyber attacks?” was a question asked at a conference I recently attended. The panelists offered many answers ranging from better detection capabilities to completely altering security architecture. However, the answers mainly focused on some form of technical solution without pondering the bigger challenge of how can we use security, both technology and policy, to better participate in enhancing and driving the business.

Thus, I would like to suggest that the key security initiative of 2015 should be prioritization. But what does that really mean, and how does that really enable wider business participation of the security practice?

A prime example is Sony. Its recent security breach gave us the visibility to fundamentally challenge some basic principles about how we protect and prioritize assets, because it resulted in key business assets being dropped into the clear. If you were to give Sony executives the choice of only one database to pull back unexposed, I am certain it wouldn’t be the one with Sylvester Stallone’s social security number. Getting to better prioritization, however, needs to start with two steps: communication and context.

Communication – Let’s face reality

Before we run out and hire consultants to start valuing assets to decide on a change management plan for prioritization, we must first acknowledge that we need to modify the nature of our communication and relationship with the C-suite.

We need to change the conversation so that security is not a competing priority with the myriad of other challenges facing our business leaders—that is until a significant event appears on the front page of The Wall Street Journal. Because we often have so little face time with the C-suite, there is the tendency to firehose our CEO and board with 40-slide decks full of technical details, priorities, and budget requests.

Instead, ask for monthly 15 – 20 minute meetings with the CTO/CIO and the CEO/COO to learn about the three highest areas of focus for the business. Use these priorities as the foundation of your communications with the board and C-suite.

Lead with the key metrics that the business is trying to achieve, and show how supporting the right security implementation is an integral component to success.

Also, make the board a part of the solution. The most recent Ponemon Institute study found that an “involved board of directors knocks down the per capita cost of a breach by $5.50,” although that’s still less than 10%. Get to know the chair of the auditing committee, as you both will have the most visibility in the event of a breach.

Remember, you need to build a relationship, and you must find ways to nurture and support this relationship by building a mutual vocabulary and mutual interest in the problem being solved. Be persistent in developing this communication chain.

Context – Asking the wrong questions yields the wrong answers

A common refrain in today’s security landscape is “you’re hacked, get over it.” So “now what” becomes the more important question. We must be able to understand the intersection between key assets and potential targets in order to prioritize risk and resources. The best path to engage this cycle is to catch the bad guy faster, understand the attacker profile and use that knowledge to develop a map of your threat landscape.

Utilizing products such as threat intelligence and pen testing are some tools that can be used to add a contextual layer for understanding the vectors being used by the attacker. However, leveraging business owners beyond the C-suite as a partner will give you a better view and detail of which strategic directives require an increased amount of diligence.

Include key business owners in developing your tabletop exercises, and focus some of these exercises around their strategic initiatives to understand the context of the “why and what” you are protecting. Use the knowledge that strategic objectives will change, and make this is an opportunity to have quarterly updates with your stakeholders to reorient your effort. Paying particular attention to the business conversation will also enable security teams to orient strategy around corporate priorities versus check-box compliance.

Creating the business context around knowing which assets have been breached, rapid detection, forensic understanding of the what/when/why/how allows a re- tuning of the perimeter to match the adversary’s path. This is an effective step in understanding the threats and vectors used to infiltrate the network. In other words, use both business and technology to decide which fights to fight.

Remember that words matter, but terms such as prioritization, risk management, integration strategy, and the like have become overused to the point of meaninglessness. It is up to us to put meaning back into them. The challenge has been that our industry has used these terms as the broad brush to whitewash the fact that we know we need to be more effective at doing these things without the tools to drive to meaningful implementation.

Bring Sony back into the conversation as a means of focusing attention, not creating FUD. Use this and other high-profile breaches as a tool to remind ourselves – and our leaders – that we need to think more strategically about the adversary. The bad guy will get in, but our willingness to acknowledge this fact in order to develop a proactive approach is relatively new. Use this new level of acceptance to expand the participants in the conversation, to look at the problem in different ways, and to add context to the challenges we face.