As cybersecurity becomes ever-more critical to businesses, senior leaderships are looking to CISOs for strategic guidance on innovation, digitization and business growth
The information security space is changing rapidly, in line with the breakneck evolution of new technologies and the corresponding threat level from bad actors.
As such, information security is no longer a function that just sits ‘behind the curtain’ and protects the network. It is expected to be at the forefront of digitization.
Similarly, the role of the CISO has evolved. Two decades ago, information security leaders had technical positions, more narrowly focused on managing firewalls and securing network perimeters.
Today, digital technologies are a fundamental part of almost every business. In this environment, CISOs are expected to have an intimate understanding of how the business works at every level and both understand and drive key business objectives forward.
“You should never do security for the sake of security,” says Storebrand CISO Bjørn Watne. “Whatever direction the business is taking or whatever strategy the business has, security is there to support that.”
“[Cybersecurity] has become that much more important for the board and the top management, because every company is an IT company now,” he adds. “Any cybersecurity incident is something that might cost [the business] multiple millions if it’s not handled swiftly and correctly.”
- Build Powerful Relationships with the Board
An organization-wide security culture starts at the top. For the CISO that means building relationships with senior executives and the board that advance information security and business objectives.
A key component of this, of course, is educating those executives about the current threat landscape and what plans are being put into place to mitigate those risks.
It seems that there is more work to be done by CISOs in this regard. Professional consultancy EY reports that 48% of CISOs believe the board does not yet have a full understanding of cybersecurity risk.
For BCBS Michigan CISO Wallace Dalrymple, educating the board on the threat landscape means speaking the language of business. As such, he recommends presenting risks in the context of operational objectives.
“Don’t make it a technical conversation, because these are business people trying to make business-level decisions,” he advises. “I need to communicate in business terms: risk, financial impact [and] brand impact.”
“The board wants to know what it is that could impact our business plans for the next two years,” he continues. “They’re really focused on understanding the biggest risks to the company, internally and externally.”
Of course, one major objective for the CISO is to ensure that they have the funding they need for the cybersecurity program. But it is important to look beyond the balance sheet when communicating the value of cybersecurity to company executives.
“The old school terminology when talking to the board was all about ‘fear, uncertainty and doubt’,” recalls Hastings Direct CISO Simon Legg.
“We [made] them as fearful and uncertain and as doubtful as possible,” he continues. “And that’s the way that we [got] money for my program.”
“Unfortunately, what that does is makes sure that your program thought of as a cost,” he concludes. “The mentality is, it’s just a cost [and] that there’s no value attributed to it other than [making sure the] scary thing won’t happen.”
- Move the Data Security Conversation Beyond ‘Cost’
Moving beyond the perception of information security simply as a ‘cost’ and instead talking about value should be a key priority in every CISO’s communications with the board.
“Never start the discussion with cost or budget requirements, and always have a discretionary and non-discretionary cost in mind,” advises Sun International GM of IT Governance, Risk and Security Pragasen Pather.
“You must make security ‘real’ to the other executives and align to what they can relate to,” he continues. “Our priorities as CISOs should not be defined in isolation of the business’ strategic objectives.”
Custodiet Advisory Services CSO Steve Jump agrees that this alignment of security with wider business objectives is a crucial aspect of proving the true value of strong information security measures to senior leadership.
“Security priorities must always align with those of the business itself. Any information security strategy must be based on measured reduction of identified business risks,” he says.
“If you are unable to express how security systems and resources will both enable rapid progress and help protect and retain profits,” he adds. “Then, you are simply offering another type of IT deployment, but practically one with little direct visible return.”
“There is still a really important part for the CISO to play in terms of educating your executives and your board on the topic of cybersecurity, protection of data and resilience,” continues Legg.
“I think this is a genuine shift [for CISOs],” he adds. “We have started to become much more articulate about talking around the value of information security.”
“The CISO has evolved into something that really is much more engaged with the strategy of the business and finding ways that the company can succeed through security,” he concludes.
- Enable Innovation and Ensure ‘Security by Design’
In an increasingly software-centric world, the CISO also has an important role to play in enabling business innovation and growth.
For example, making sure that security is a central consideration at the planning stage of a new initiative or product will help to prevent potentially expensive security issues later. This approach is known as ‘security by design’.
Partnering with the business in this way will also elevate the perception of the CISO and their cybersecurity teams as value enablers to the business-at-large and combat perceptions that they are enforcers who throw down roadblocks.
“The CISO then plays that advisory role to the business to ensure that, as we are digitalizing, as we bring in new ways of doing things into our businesses, we’re not creating any additional risk,” explains Makgati. “You need to find a way to really say to the business, ‘I want to enable you. Let me know how I can help you’.”
She continues: “It’s, ‘Yes, you can do it, but you need to put these three or four things in place to ensure that we’re not creating risks for our business, or for our customers.’”
In a world where information and data security are top of mind for both businesses and consumers alike, establishing processes that ensure ‘security by design’ can be a key marketplace differentiator.
For AXA Group Chief Security Officer Arnaud Tanguy, this is a key area in which CISOs can add value to the company.
“We are part of a company that is working to transform our customers’ experience; we are here for them to demonstrate we are secure and resilient in a competitive world,” Tanguy concludes. “The convergence of our function enables us to think about security holistically — to apply ‘security by design’ in everything we do.”
This is an extract from the exclusive report The 2021 Information Security Agenda. The report highlights how COVID-19 has rapidly shifted priorities for Chief Information Security Officers (CISOs), requiring them to implement new strategies, technologies and educational programs in a time of heightened risk. Click here to get your copy.