It is becoming increasingly apparent that modern security programs, led by forward-thinking security teams, empower organizations to move with agility, pursue growth and serve customers better. Cyber security strategies and tools represent the ever-present check that enables developers and business leaders to operate at pace with the knowledge that their security partners have their backs — sometimes in person, but increasingly through automated means.

As the threat landscape evolves, the cyber team’s approach is changing

Perhaps the biggest change we've seen, in terms of the security team’s relationship with the rest of the organization — certainly in the age of COVID, but even going back several years before the onset of the pandemic — is an increased need for speed-to-market, albeit with an acknowledgment of the risks involved.

With the pandemic ongoing, organizations are reaching a point where they are expected to manage an increased digital footprint and change cycle, while continuing to enhance security capabilities. This in turn has fueled the transition to a secure-by-design approach, the need to operationalize development, security, and operations (DevSecOps), and the critical ‘shift left’ of security along the software development life cycle (SDLC).

Thinking about the makeup of an effective cyber program, there's a leadership element and a team element. In terms of leadership, the most effective CISOs are not spending a lot of time talking about technology. Rather, they spend more time thinking and talking about the forward direction of the business, striving to ensure that executives in the C-suite and the board room are aware of and aligned with the security plan and vice versa.

Talking about firewalls, patch management, and data loss prevention — although all critical considerations — makes non-security heads spin. More and more, CISOs and their teams are understanding and speaking the language of the business. They should communicate how the organization’s cyber security program supports and contributes to the growth of the bottom line. 

As for the broader team, today we are seeing essentially negative unemployment in cyber. Not only is there a dearth of experienced professionals to fill all the necessary roles, people tend to move around in this industry because they are looking for different experiences to strengthen existing skills and acquire new competencies.

More broadly, there’s an exploding gig economy where it seems as though everyone’s a subcontractor. Over the coming years, cyber teams may have access to a pool of trusted resources as workloads and capacity dictate. That would enable CISOs to staff teams to operate with a smaller, more strategic core and surge up and down as needed. The nuance in that model is trust. There should be a clearinghouse of cyber specialists who have been vetted by other trustworthy professionals, either inside or outside the organization, who can be trusted to take on sensitive cyber security projects.

This mindset shift is what is transforming the posture of CISOs and their teams from organizational enforcers to influencers.

As Mike Tyson famously said, ‘Everybody has a plan until they get punched in the mouth.’ A cyber event can feel like that.1 Cyber teams need to be ready to get up off the mat, and respond in ways that are informed, strategic and measured.

Benny Bogaerts
Partner, Technology Advisory
KPMG in Belgium

What’s your move?

The evolution of the security team is as much about messaging as it is about program design. CISOs need to change the narrative so developers and the business lines buy into the fact that cyber exists to support rather than hinder. That's a simple, yet important message that often gets overlooked or not told well.

From passwords and PINs to two-factor authentication and security awareness training, employees are going to have complaints and cyber teams should take the time to listen, be empathetic and inspirational. Clearly communicate the importance of operating safely and securely in every aspect of work and connect adherence — and non-adherence — to the organization’s financial results and future vision.

Work to change the perception of these requirements from punishment to responsibility. Look for ways to make cyber awareness more engaging, interactive, fun, even game-like, perhaps through augmented reality (AR) or virtual reality (VR). Make it clear that cyber is not here to be a speed bump but to keep everybody safe and cyber teams can do it concurrently.

CISOs should critically analyze where they and the cyber team spend their time, challenging the balance between strategy, plan, build and run (including react). In cyber, it’s easy to get distracted by technology, however, when teams focus on their plan and their principles, technology decisions tend to become a little more obvious. 

The opportunity is in the combination of automation, data analytics and AI, specifically ML, in a continuous controls monitoring model. That structure informs the data science aspects of decision-support systems and aligns real-time cyber outcomes with the organization’s risk profile and response activities. The goal is to capture and analyze data in real time with a standardized and dynamic security posture that is able to detect and respond to a change in the live threat landscape.

CISOs and their teams should be prepared for ongoing disruption. From a technology perspective, cyber security is the guardian of a broader digital ecosystem of interconnected vendors, suppliers, and partners. Managing that ecosystem and striving to ensure that it’s secure is one of the greatest challenges that cyber security teams face.

Organizations have entered an automation arms race of sorts in the cyber estate. To get ahead of it, cyber teams should build-in realistic scenario-based thinking, testing and planning for threats that might come out of a variety of industries and geographies.

Karel Dekyvere
Director, Technology Advisory
KPMG in Belgium

Cyber professionals in general should continue to evolve their skills in a more system-based, strategic business direction. They need to adopt a multi-modal philosophy focused on standardization, automation and data analytics. As an industry, cyber teams should not only seek to attract more talent in an absolute sense but be open to a broader range and diversity of talent, breaking down barriers to inclusion. 

Some key actions to consider for 2022

  1. Change the narrative. Stop talking about technology and start talking about business
  2. Don't limit yourself to the traditional definition of cyber security; continue to build relationships with other areas of the organization and build a network of internal business partners
  3. Embed scenario thinking, testing and responsiveness into the regular activities of the cyber function of an organization
  4. Make compliance an important outcome of your security program, rather than the reason for its existence
  5. Be an evangelist; be passionate about what you do and motivate people around the importance of security
  6. Adopt a stance that cyber is a major part of what the company does, it's in the company’s DNA. Help the organization change its thinking about the role of security

   

   

  

1 Mike Berardino, “Mike Tyson explains one of his most famous quotes,” South Florida Sun-Sentinel, November 09, 2012.