CISOs can’t be blamed for feeling under siege: Every day there are news reports of another data breach around the world — and that’s the public tip of the iceberg. Behind closed doors they get reports from staff about suspicious network behavior that may or may not be an attack.

Small wonder they feel helpless. But a trio of security experts for the McKinsey consultancy says infosec leaders are going about security the wrong way.

Tucker Bailey and James M. Kaplan, and Chris Rezek recently released a new book, Beyond Cybersecurity: Protecting Your Digital Business, that CISOs worry too much about trying to protect the organization and comply with regulations rather than integrate security into business operations.

“As a result, they get the wrong answer about how to construct a cybersecurity program,” the authors say in a condensed blog of their book.

Their answer is what they call is to build digital resiliency: Design applications, business processes, technology architectures and cybersecurity defenses to include protecting critical information assets. That way, they say, CISOs will get a bigger bang for their bucks.

Briefly, they say it will take six steps to get there:

–Start by identifying all risks to data. “Effective cybercapability assessments not only address existing protocols, personnel, and tools but also governance, controls, the security architecture, and delivery systems,” they say;

— Target three types of mechanisms to step up the security of their information assets: business-process controls, broader IT controls and cybersecurity controls (such as encryption);

— Work out how best to deliver the new cybersecurity system;

— Establish your risk–resource trade-offs, then present a plan with options to management for risk reduction and resource commitments;

–Once the organization has defined its risk profile, develop an integrated security plan that aligns business and technology;

–Ensure sustained engagement in the program from the top.

“Senior, cross-functional oversight is essential to avoid a mere patchwork of compromises that will undermine digital resilience,” write the authors. “Given the stakes, nothing else will do.”