The pandemic has catapulted security once more to the top of IT and executive leadership priorities, even the Board. However, at issue for the CIO and CISO is getting management buy-in when it comes to what technologies to acquire, how to integrate these into existing security strategies, the challenges in the journey to integration, and how to ensure that disruptions are kept to a minimum.
Because we live in an ecosystem economy today where almost everything is connected, the challenge for the CIO and CISO is securing the appropriate budget that reflects the state of the security or insecurity of the industry, the availability of many with their respective price tags, and the limited resources the company must do everything while securing the business and its customers.
BlackBerry’s director of engineering for Asia-Pacific, Jonathan Jackson, acknowledges that the adoption of digital transformation and the accompanying growth (globally) has resulted in global connectivity.
“We are seeing a hyperconvergence of AI, processes, quantum computing, and blockchain. Cybersecurity is inextricably linked to these drivers of a connected world as we develop the ability to compete in the digital world and meet the needs of protecting our assets, people, data, and privacy,” he continued.
Complexity is the new norm
In its 2022 predictions, IDC says that data security, confidentiality, integrity, and availability are now key issues for all organisations, as is imperative to use data ethically while complying with a complex web of industry and regional regulations.
Jackson agrees adding that cybersecurity has significantly increased in complexity over the last three to five years, and certainly in 2022.
“Going forward, we will see a huge number of changes in the attack surface and the way cyber threat actors infiltrate our networks, exfiltrate our data, put a ransom on our machines, and gain access to privileged and confidential information,” he added.
He also opines that with the convergence of IoT and OT (operational technologies), everything is connected to the Internet, greatly expanding the attack surface for organisations.
Selling the intangible to decision-makers
Jackson opines that this is the key challenge for CISOs and CIOs – to position a story to the Board with impact and “board sense”. This calls for the ability to speak the language of board members. However, security professionals and even CISOs struggle with using industry jargon, acronyms, and technical terms — things that a Board wouldn’t really understand.
He suggests speaking in the language of the Board. “If you can put security terminology in board language, then you’ve moved further down the line in getting your point across.”
He then suggests touching on three things that are critical to the Board — revenue, risk, and cost. In doing so the Board is more likely to understand what they are trying to initiate.
Jackson concedes that with Board conversations, it boils down to the return on investment (ROI). This requires quantifying the enterprise cyber risk in relation to the company’s business objectives.
Acknowledging that cybersecurity is like insurance in that it only becomes tangible when bad things happen, Jackson says, therefore, CISOs also need to be able to qualify how the solutions can result in resilience implementation and bring about an impact to the bottom line, on top of quantifying proposed cost expenditure for cybersecurity.
Fighting a one-side war
While many organisations, including financial institutions and governments, have stepped up their cyber readiness, stories continue to filter about systems and processes across industries and institutions that have been under some form of cyber attack. In some cases, even succumbing to the attack and paying the ransom demands.
Jackson concedes that to a certain degree, attackers are ahead of the game. He notes, however, that in the last two years, from a security perspective, investments have gone in to create capabilities that leverage machine learning.
“We are now using computers to be able to make an informed decision on a perceived cyber threat, and that investment has really helped us step ahead of where the cyber actors are going,” he continued.
How to get management buy-in
Communication is important. CISOs must understand things like critical business objectives and drivers (revenue, cost, and risk) to qualify and quantify the organisation’s cyber risk expenditure as it pertains to return on investment.
He also suggests CISOs map their resilience programmes to industry frameworks MITRE ATT&CK, NIST (the National Institute of Standards and Technology), and Australia’s Essential 8. “These frameworks will help the Board understand the measurable objectives of your cyber resilience programme,” he opines.
“CISOs should work towards the goal of reducing mean time to detection (MTTD) and mean time to respond (MTTR). These are effective cyber terms in helping the Board understand how quickly the business can adapt and respond to a significant cyber breach, attack, or event.”
Jonathan Jackson
Click on the PodChats player to listen to the dialogue with Jackson on how to get senior management buy-in when it comes to your cybersecurity strategy.
- How is cybersecurity inextricably linked to digital growth in 2022?
- [Just] how complex is the nature of security for an organisation today?
- Security is like insurance. It only becomes tangible when bad things happen. How can the CISO-CIO contextualise key cybersecurity trends and issues to reflect the bottom line – the things most important to leadership, the Board, and shareholders?
- If I take a cynical look at security spending, for the most part, I am spending money in the hope that I can prevent threat actors from successfully impacting my business. But given that from what the CISO-CIO and analysts are telling me – that threat actors are creative, aggressive, resourceful and relentless, how do I fight a war that seems one-sided?
- Gartner expects companies will spend US$77 billion in outsourcing security in 2022. Where do you see this spending being prioritised? More importantly, how should the CISO and CIO approach sell the idea of more outsourcing to leadership? (skills shortage, alert fatigue)
- Is it true that companies are more open to outsourcing security?
- Bottom line, given all the challenges, obstacles, and priorities, what are your top recommendations for how the CISO-CIO gets leadership buy-in around security spending in 2022 and beyond?
