Our future is dependent on data and digital infrastructure. We now have a complex tapestry of public-private partnerships, connected ecosystems, and information infrastructures. And as the degree of interconnectedness and dependency increases, so does the interest from those looking to attack and exploit those infrastructures.
Breakthrough technologies also pose new security, privacy and ethical challenges and raise fundamental questions about trust in digital systems. This is the environment in which global commerce needs to thrive, and we need to address concerns now as we innovate, not retrospectively when it's too late.
The annual Cybersecurity considerations report identifies eight considerations that CISOs should prioritize in the year ahead as they seek to accelerate recovery times, reduce the impact of incidents on employees, customers and partners and aim to ensure their security plans enable — rather than expose — the business. The report also explores the key actions CISOs should take to meet the challenges ahead and to help ensure security is the organization's golden thread, woven into the business across the board — providing the basis for trust.
1. Digital trust: A shared responsibility
Digital trust is finding its way onto Board agendas as privacy, security and ethics debates gain momentum — partly driven by regulation and partly by public opinion. The future success of any digitally enabled business is built on digital trust — cybersecurity and privacy are vital foundations for that trust. CISOs must be prepared to help the Board and C-suite create and maintain the trust of their stakeholders if they are to create a competitive advantage. Realizing this potential requires a collective commitment from all stakeholders.
2. Unobtrusive security drives secure behaviors
Embedding security within the business in a way that helps people work confidently, make productive choices, and play their part in protecting the organization must be a key, albeit often elusive, CISO objective. It’s too easy for people to see security as an impediment, and only by considering security from both human and business-centric perspectives can CISOs hope to change this mindset.
3. Securing a perimeter-less and data-centric future
It’s no surprise that business operating models have fundamentally changed over the last decade — becoming more fluid, data-centric, connected ecosystems of internal and external partners and service providers. In this distributed computing world, to help reduce the blast radius of any potential outages or breaches, CISOs and security teams must adopt very different approaches, such as zero trust, Secure Access Service Edge (SASE) and cybersecurity mesh models.
4. New partnerships, new models
Gone are the days when security teams focused solely on the security of their organization’s IT systems. CISOs need to understand when to hit the brakes, when to press go on outsourcing cybersecurity efforts and determine what skills to keep in-house today and in the future. Security has become a business priority, delivered through a shared responsibility model between the organization and service providers.
5. Trust in automation
In the race to innovate and harness emerging technologies, concerns over security, privacy, data protection and ethics, while gaining more attention, are often ignored or forgotten. Left unchecked, this negligence could lead businesses to sabotage their potential, especially with new AI privacy regulations on the horizon.
6. Securing a smart world
Businesses across virtually every industry are shifting to a product mindset — focusing on developing network-enabled services and managing their supporting devices. CISOs and their teams are getting pulled into discussions with engineering, development and product support teams as organizations realize product security matters too.
7. Countering agile adversaries
The time from initial compromise to enterprise-wide ransomware activation is shrinking. Increasingly, rogue and state-sponsored attackers can penetrate systems with automated tooling and accelerate the exploitation of systems. Security operations should be optimized and structured to fast-track the recovery of priority services when an incident occurs, which can reduce the impact on clients, customers and partners.
8. Be resilient when — and where — it matters
Every security system is flawed. There is an air of inevitability that, at some point, an organization will suffer an incident, large or small, and likely more than one. Regulators are increasingly focusing on plausible scenarios and pushing companies — particularly those in strategically important industries like energy, finance, and health care — to be resilient and position themselves to recover.