Many Chief Information Security Officers (CISOs) now find themselves at the crossroads as they face the challenge of bridging the gap between cybersecurity and business needs in an increasingly complex and connected digital environment.
Traditionally, CISOs have focused on improving their organizationās defences against cyber attackers. This continues to be an important role given that 59% of Southeast Asia (SEA) organizations saw more attacks in 2019, according to the EY Global Information Security Survey 2020 (GISS).
However, they will need to adapt to perform this role effectively. Todayās enterprises are rapidly transforming to embrace emerging technologies and driving innovation to remain competitive and meet customersā evolving expectations.
CISOs who merely react to these changes will not be as effective as those who proactively keep pace with the organizationās transformation and look to develop an in-depth understanding of the business environment. The latter will be able to anticipate new threats, recognize potential new aggressors and respond ahead of time.
There is now an opportunity and a need for CISOs to be at the heart of innovation ā to help organizations make new products and services cybersecure, and therefore more competitive as consumers and regulators place more importance on security.
For example, when the cybersecurity labelling scheme for Wi-Fi routers and smart home hubs is introduced in the second half of 2020 in Singapore, CISOs of manufacturers that can help their organizations comply with these standards might give them an advantage in product differentiation.
Clearly, CISOs must transform and expand their role beyond that of a technologist to become a business partner. They will need to lead from the frontline, and not just support from the backroom. As they do so, they lead the way for cybersecurity functions to change their ways of working and operate as enablers of innovation.
In order to be effective in this expanded role, CISOs will need to diversify their skill sets to acquire both new technical and business capabilities. Essential business skills include problem-solving, communication and the ability to work collaboratively across departments to identify risks in the dynamic digital environment. They will also need a deeper understanding of emerging technologies and their applications.
Challenge stereotypes and rebuild relationships
It is not enough for CISOs to embrace their new role and proactively acquire skills to support it; they will also need to tackle existing stereotypes within the organization. When asked how the executive management team would describe the role of cybersecurity, only 8% of SEA respondents of the GISS agreed that the function āenables innovation with confidence.ā
A much higher percentage (32%) associated the function with its traditional role of protecting the enterprise.
The difficulty in changing stereotypes is made worse by existing levels of distrust between cybersecurity functions and the rest of the business. According to the GISS, 37% of cybersecurity functions in SEA organizations have at best, neutral, if not non-existent or mistrustful relationships with the lines of business.
Trust is an essential ingredient to foster openness and free up the exchange of ideas, which are critical for building a culture of innovation. Without strong mutual trust with the rest of the organization, CISOs will struggle to participate in innovation projects, and even if they do, cybersecurity is likely to be an afterthought.
The GISS revealed that only 43% of SEA organizations involved their cybersecurity team right from the planning phase of a new business initiative.
It is critical for cybersecurity to be a central consideration from the start of each new project ā an approach called āSecurity by Designā ā to avoid imperfect and costly solutions or impractical workarounds.
CISOs must take the lead in showing their teams how to improve their relationships with the rest of the business. In part, it is a simple case of investing time and effort. However, they will also need to change the nature of their interactions by becoming problem-solvers instead of faultfinders.
Change reporting structures and metrics
CISOs and the rest of the organization can only enhance cyber resilience by building trust and collaboration. This is seen in successful organizations today that effectively leverage enterprise diversity ā such as business line owners, customer management, marketing, fulfilment, talent management and technology. They not only recognize that collaboration can take place organically, but also intentionally work on uniting and radically transforming how the business operates and serves its customers.
This poses a fundamental question of whether the hierarchical structures that worked before are still relevant, or whether cross-functional teams with a common purpose can be more effective for change to happen.
Respondents in the GISS said that 37% of SEA CISOs report to the organizationās CIO and only 20% report directly to CEOs. The formerās traditional reporting structures could leave cybersecurity in a less strategic position, with the CIO required to act as a conduit. CISOs must seize the opportunity to collaborate more closely with the business lines implementing the changes, and to play an active role from the start.
Beyond transforming the reporting structure, there will only be deeper trust and meaningful dialog when a common understanding and language are established between business owners and CISOs. The latter must articulate the return on cybersecurity investments needed in business terms.
CISOs will need to develop new reporting metrics that are able to directly tie business drivers to what cybersecurity is doing to enable them, justifying its expenditures and effectiveness.
They also need to ensure that traditional means of securing the environment keep pace with the needs of emerging technologies, increased connectivity and innovation, in order to continue building trust within the organization and with external stakeholders.
By moving from a defensive position to one that proactively enables the business in innovation, CISOs will be able to help their organizations to transform safely and securely in this digital era.
The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.
