Steve Zalewski said one question informs every decision he makes as deputy CISO at Levi Strauss & Co.: “How can cybersecurity help me sell more jeans?” His extensive technical background notwithstanding, Zalewski is adamant in contextualizing Levi Strauss’ security program within the brand’s big-picture business goals. For example, if a vendor can’t explicitly articulate how its technology would help insure the company’s revenue stream, Zalewski isn’t interested.
“I tell them, ‘I have a responsibility to sell more jeans. How does your product help me do that?'” he said. “They usually don’t understand how to pivot to a business risk conversation or appreciate that cybersecurity is more about insurance policies than operational efficiency or technical capability.”
To justify investment in a new security control, ROI has to speak for itself, according to Zalewski. In other words, the technology or process should offer a reduction in risk that clearly exceeds the cost of adoption. Otherwise, “leave it alone,” he said.
Research suggests few CISOs take such a keen interest in aligning security with business objectives and bottom lines. Many experts say, with security now…
