The past decade has seen a dramatic rise in cyber threats and attacks, catalyzed by a myriad of factors including rapid digital transformation, the demands of the pandemic and the exponential growth of data sharing as consumers demand more personalized and unique experiences from brands. While ‘cybersecurity hygiene’ has long been the buzzword, a robust cyber strategy is now considered integral to the health of a business, alongside financial and operational controls.
As you might anticipate, when a data breach occurs, most businesses focus on the immediate costs of addressing the issue, such as patching security gaps, and rebuilding the business. Unfortunately, the real cost of a data breach is far more extensive, damaging the very way customers perceive, trust and interact with the brand. In fact, in our recent report in collaboration with Interbrand found that if the world’s 100 most valuable brands were to face a data breach, they could collectively lose up to 223$b of their brand value.
While the industry is becoming more attuned to what’s at stake bringing cybersecurity to the boardroom as a critical agenda item, more needs to be done to create a culture of security and to empower the CISO as a valued leader within the business.
The evolution of the CISO
Up until just a few years ago CISOs had to fight to be heard to convince colleagues and decision-makers of the importance of security for the health of the business and that it should be applied diligently. Today, the challenge is to perform against the backdrop of an increasingly fierce threat landscape, and demonstrate ROI when a lack of activity often means the cybersecurity strategy is working effectively. The role of CISOs is substantially transitioning from trying to influence and create visibility in the boardroom to relentlessly executing and ensuring that information assets, technologies, systems, and networks are adequately protected across the business.
Today, the CISO role is undoubtedly multifaceted – they are simultaneously a strategist and an influencer. Not only does the job entail designing a comprehensive security strategy of policies, governance, and scalable risk management frameworks, that fit seamlessly into the overall strategy of an organization, they also need to influence behavior and decisions. Beyond operational strategy, the CISO needs to influence mindset and behavioral change, promoting a security-first culture across every department and job role.
The modern CISO – a business influencer
The evolution of the CISO role brings with it huge opportunity for businesses to build competitive edge, build trust with customers, and to upskill the workforce. Yet, to tap into this huge potential the CISO must be empowered to achieve a “culture of security” within the organization. This starts, by placing the CISO at the very heart of the organization. Not only will this move signal the strategic importance of cybersecurity within the organization, it will also ensure business ownership of the cybersecurity agenda asserting the roles and responsibilities of everyone within the wider organization. Building this culture and foundation makes security everyone’s responsibility.
We often see that while cybersecurity is increasingly on the boardroom agenda, many organizations still lack the adequate platforms to engage business leaders in discussion, decisions, and strategies. Creating an information security council that has representation from leadership from across the business is critical and ensures commitment and consistent outcomes across the various parts of the organization. For example, the council could be active in developing and approving effective risk management and mitigation process that can be trialed and run by the IT team.
However, while business buy-in is essential to an effective organizational shift in attitudes and behaviors as well as strategy implementation, it should not come at the cost of autonomy. Empowering the CISO with the independence to make critical security-related changes within the organization effectively and efficiently is paramount to delivering on a robust cybersecurity strategy. In return, the CISO must be transparent about what they’re seeing and doing, creating a full circle feedback loop. Not only does this help to foster trust with business leaders and justify budget, it also helps to demonstrate the risks to the wider business encouraging behavioral changes.
Proactive, not reactive security
Each year, CISOs will face new and complex security challenges due to the rapid innovations and revolutions in the technology space. CISOs are expected to keep pace and stay in the know about all the latest happenings. As hack and attack techniques get harder, the role gets harder too, and over the past year, remote work, cloud growth and COVID have completely changed the game creating new challenges for CISOs to deal with, all while ensuring to never prohibit business progression.
The key to security is to stay ahead of the curve – often easier said than done given the pace of innovation in the ‘threat-o-sphere.’ IT teams must assume attacks are happening, not reactively wait for things to go wrong. CISOs should ensure their teams regularly run simulations such as a data breach or backup and restore strategies to test their preparedness – doing so is fundamental to strengthening the security posture of the organization. In recent years, there’s been a marked uptake in software to simulate these events, often called purple teaming. In such a situation the red team would play the offensive testing the systems, and the blue team would play defensive searching for it. Ensuring effective software and tooling for these team exercises is of course critical. Collaborating, and proactively working together to share skills from these completely different skillsets will also support peer-to-peer upskilling and bolster the teams’ ability to defend the business as one unit in the event of an attack.
The CISO is not an IT function
The CISO is no longer an IT function. Today a CISO is an enabler, a strategist, a critical business advisor and a business influencer who builds a culture of security and drives competitive edge for the business. Brand value, perception and affinity is now as much the CISO’s responsibility as the CMO, and in the future we will most definitely see this role continue to evolve.
Vishal Salvi, SVP and Chief Information Security Officer, Infosys