Stop building security goals around controls

In this Help Net Security interview, Devin Rudnicki, CISO at Fitch Group, argues that security strategy fails when it loses its connection to business outcomes.

Rudnicki walks through how to align security goals with corporate priorities, why CISOs must present risk in terms leadership can act on, and how to balance innovation speed with measured risk. She outlines three metrics every security program should track: value, risk, and maturity. Rudnicki also addresses where maturity models help and where they mislead, and explains how to decide what to automate.

What is the biggest mistake security leaders make when they define strategic goals, before they even start choosing tools or metrics?

I find the biggest mistake leaders make is not having a “why” tied to business outcomes and secure enablement of the business. Security goals are often framed as controls, e.g., “implement X, roll out Y”, instead of outcomes. If I can’t sufficiently explain how a security goal protects revenue, customer trust, or uptime, it’s probably not strategic.

In practice, that means anchoring security strategy to three inputs: corporate objectives, the real cyber threats the organization faces, and relevant industry standards. At Fitch, our information security strategy is explicitly designed around those three dimensions so we can explain how security decisions enable the business strategy, not just satisfy controls.

Strategy should be at the heart of everything an information security team does for an organization. I have focused on transforming Fitch’s information security strategy to be outcome-based while aligning with corporate objectives, addressing key cyber risks, and adhering to best-in-class industry standards. This helps keep us accountable for executing our strategy and enables us to demonstrate measurable progress.

How should a CISO handle situations where business leadership wants “innovation speed” but security knows the current environment cannot support it safely?

First, it’s important to ensure that the business understands the risks and potential impacts of rapid implementation. A new tool that could help generate $1 million in revenue could end up costing the business $5 million if it introduces material cyber risk and leads to a significant cybersecurity incident.

The goal is to present decision-makers with mitigation options that can lower risk while still enabling innovation, securely. One way to do this is by implementing the innovation in a secure “sandbox” to validate the potential business benefits and understand the risk profile.

Keep in mind that CISOs need to ensure the mitigations they are suggesting are proportionate – implementing a $5 million safeguard control rarely makes sense to protect $1 million in assets. CISOs should also factor the current threat landscape into their decisions. Geopolitical events or other evolving threats can materially increase an organization’s cyber risk at a specific point in time.

If you could force every security program to report only three strategic metrics to leadership, what would they be and why?

Value: Create return on investment (ROI) and/or objective key results (OKR) metrics for major cybersecurity investments to demonstrate the initiative’s value. For example, my team implemented an AI client security questionnaire tool that reduced internal response time by approximately 75%. That efficiency gain mattered because it freed teams from manual, repetitive work – shortening client response cycles and allowing teams to focus on higher‑value risk analysis and customer engagement.

Risk: Track enterprise cyber risk over time across systems, applications, networks, and third parties, enabling executives to understand whether exposure is rising or falling and to make informed strategic decisions. This tracking should reflect true business impact, using business‑aligned risk classification to surface what matters most rather than overwhelming leaders with raw volume.

Capability/maturity: Measure cybersecurity maturity scores against target maturity scores. Having an independent third party perform a cyber maturity assessment against an industry standard framework can be very helpful. This can demonstrate how your organization’s cyber maturity is progressing over time and pinpoint where cybersecurity investment is improving security posture and reducing risk.

Do maturity models help security strategy, or do they push teams toward checkbox thinking?

Maturity models are a good way to measure security strategy success, but they should not be used as the only measure. They are helpful in showing directional progress of security maturity over time and creating a shared language between security and leadership. Given the vast amount of information and systems to protect, they also help identify where to invest limited resources.

However, leadership must understand that maturity does not equal 100% security – even the most mature security programs can and will have cybersecurity incidents. A higher maturity means that you’re able to detect, respond, and recover from cyber incidents more quickly. That distinction is critical at the executive level. Maturity assessments are most effective when they support investment decisions and resilience planning – not when they are treated as guarantees or finish lines.

While some teams may view maturity assessment results as a “to do” list, they don’t need to use them that way. It’s better to view results as a guide for determining the highest value initiatives to advance cyber and business strategies.

How do you recommend teams decide what should be automated versus what should remain human-driven as part of strategic planning?

From a leadership perspective, automation should be judged not only on risk reduction, but on whether it creates capacity for people to exercise judgment, develop expertise, and engage more deeply with the business.

Human-in-the-loop decision making remains key for high-risk decisions and accountability, especially for anything involving people. The most effective automation focuses on repetitive, routine tasks, freeing teams to spend more time on strategic, higher‑value work.

As organizations’ adoption of emerging technology grows, employee concerns regarding role displacement will inevitably increase. Leaders must be intentional and transparent in how they communicate change, explaining what these new technologies mean for how their businesses operate and how people continue to deliver value.

Webinar: The True State of Security 2026