The last 2 years have redefined how we live, govern and conduct business. Securing and protecting critical assets, systems and, most importantly, sensitive proprietary and customer data is no longer exclusively an issue for security and IT professionals. Rather, handling and mitigating risk to help the strategic viability and operational sustainability of the entire organization is a shared responsibility that starts with the business.
Elevating boardroom visibility
Digital technology now powers and empowers enterprises much like electricity did during the industrial revolution. It also has the ability, if insufficiently secured or resilient, to interrupt communications and disrupt supply chains. A single data breach or malware attack has the insidious capacity to incapacitate real-time transactions and network interactions, and ultimately disrupt business and impact revenue growth for days, if not weeks and months.
Senior leaders have begun to understand that managing cyber risk for competitive advantage and long-term success starts in the boardroom and the C-suite. Offloading the strategic decision-making and management of risk, especially the risk inherent in digitization, is no longer just good enough. Modern security solutions can only accomplish so much in terms of risk reduction if business objectives don’t include an embedded robust security framework.
Translation is a big CISO challenge: explaining risk dynamics to the board and operating committees in terms of collaboration and cooperation. They should articulate that they’re not trying to stop the business, and instead supporting to enhance the trust of their consumers, investors and partners. Security should be a shared responsibility model, owned by everyone.
Today’s global business environment is continually impacted by geopolitical, environmental, societal and technological uncertainty. The resulting cyber risk landscape is fueled by an ever-growing volume of sensitive data moving across interconnected and integrated networks. CISOs — who are increasingly expected to speak the language of the board and the business in addition to the language of security — should collaborate to build resilience through pragmatic security investments in support of organizational growth objectives. Toward that end, cyber teams are pursuing a number of strategies, including targeting automation and enhancing their security technology portfolios, developing depth in critical skillsets to hedge against a growing talent shortage, and creating delivery models that embed security and de-risk partner ecosystems.
What’s your move?
To better align security with the organization’s strategic business objectives, CISOs and their teams should help leadership across the business gain an appreciation for what goes into security and privacy by design. Change the conversation from cost and speed to a more effective security architecture aimed at delivering enhanced business value and user experience. The costs of disruption of consumer-facing systems or compromised data outweigh what cyber teams typically quantify operationally and are magnified by degraded consumer and investor confidence, which can have lasting impact.
Digitally native or digitally mature businesses are determinedly focused on moving quickly from a development perspective and don't consistently place emphasis on the fundamentals of risk and security. Businesses need to strike a balance. Clearly, speed-to-market is essential for competitive advantage today, but it’s equally important to embed security into business processes in a way that enables the organization to maintain pace, rather than create a bottleneck at the CISO’s office. The cost — in the form of lost customers, lost investors, and tarnished reputation — of not adequately focusing on security can be substantially higher than taking the time to do it right.
Talent retention and acquisition is another gap area where organizations need to assess whether automation and partner leverage can supplement and complement a skilled and increasingly diverse security workforce. There are too many companies competing for a limited talent pool. While the cyber community can work with universities to enhance the talent pipeline and build more attractive roles to attract and retain talent, the industry should also look to embed technology across business processes and planning in an effort to help reduce the resource-capacity impact of commoditized or repetitive tasks. This will likely require intelligent automation, where possible, and creativity in delivery models and talent acquisition where it is not.
The modern CISO should think in multiple dimensions: technologist, evangelist, investigator, psychologist, investor and negotiator. They need to align security with business strategy, approach incidents as opportunities and re-frame the way their team works.
Artificial intelligence (AI), machine learning (ML) in particular, in concert with smart, orchestrated security tools, should be considered not only to isolate exposures and vulnerabilities, but also to automate the fixes and remediation. In an ideal scenario, organizations should take it out of the hands of development professionals by automating appropriate work as development is in progress.
In addition to helping maintain speed over the software development life cycle, AI can help companies avoid delivering bad code to customers who might then distribute it through their networks. In practice, this may require transferring some controls and risk to outside partners. That's still a difficult concept for both CISOs and their business-line counterparts to grasp, but it’s expected to be the overarching trend over the next several years as development volume and risk continue to grow.
Some key actions to consider for 2022
- Transition from traditional security thinking around confidentiality and availability of data and begin thinking about striving to ensure integrity and resilience
- Engage key organizational stakeholders to commit to a security strategy that can protect organizational and customer data, manage risk, and is sensitive to short- and long-term business priorities
- Reformulate thinking in the executive suite as it relates to security by focusing on practical enterprise risk rather than expense and speed
- Think less about operational key performance indicators (KPIs) and key risk indicators (KRIs) and focus on themes and trends in the underlying data: types of incidents, internal and external program-gaps, and data-related activities that are in progress, planned or awaiting approval
- Build relationships with key business areas by increasing awareness of how quickly they can achieve objectives by embedding security versus what they may lose in the event of a breach
Explore more cyber considerations from this report