* Editor's note: This article is co-produced by Sukhpreet Kaur
For years, information security has been floating in the Top 10 IT strategies of many organisations. In the last 3-5 years, the frequency, tenacity, and boldness of cyberattacks have moved cyber security not only to the top of the CIO’s priority list but to the C-suite and Board as well – becoming in many cases, part of the business agenda.
In the US, for example, the cybersecurity community are pushing for a bill that will enforce responsibility to the CEO and the board if cybersecurity controls are not adequately done. Recently the Biden Administration has submitted a request for US$10.9 billion in cybersecurity funding across civilian government agencies, up 11% from his last request in 2021.
The responsibility for security typically rests in the hands of the Chief Information Security Officer. But as security becomes intertwined in an organisation’s digital transformation journey. How do we see the role of the CISO evolving, and for that matter that of the CIO?
Reflecting on the increase in cyber incidents in Asia and globally, Abdulla Al Attas, head of cyber security, Plus Malaysia, says such incidents happened due to security capability or control not being implemented properly or there is a lack of management.
“They become difficult to manage because either we do not know which company assets to look at and protect or we are not fully aware of all company assets. We need to ensure the cybersecurity team has a view or ability to monitor, detect and protect the assets,” he added.
If you look at this year 2022, to what degree is cybersecurity given importance at the C-suite executive level and even at the board level in terms of investment in time and resources?
Abdulla Al Attas: There are different sentiments from the board depending on the industry. Many are just looking at how we can recover from 2021 but fairly we should have learned by now that proper cybersecurity controls reflect organizations’ concerns and care for customers’ information.
If you are only thinking about the cost and revenue, it will never fully protect us from cyber-attacks. The cost is important, but you need to look at the benefit cybersecurity brings to your organization.
How should leadership and the board approach cybersecurity? What is your advice for them?
Abdulla Al Attas: I have seen many of the board members do not have technical backgrounds so they lack knowledge of how technology or cybersecurity is run. Having someone on board who understands technology and cybersecurity is quite important because they will be able to drive some key initiatives for their organizations. In fact, all levels should understand how cyber risk impacts the business to protect it one way or another.
What questions should the board be asking itself and the C-suite or the CIO and the CISO when it comes to cybersecurity in an ideal situation?
Abdulla Al Attas: The board can think about the impact of bringing new technology into the business. Will it have any added value? How will it help us reduce potential risks? How will it benefit our customers? Does it protect our data? The more information you have, the better. It also gives assurance to your customers that their data is protected.
In terms of the role of the CISO or the head of security, what do you think will be very important for that role in 2022 and beyond?
Abdulla Al Attas: Should be more involved in the business decisions. See where to invest and optimize or expand business technologies. Involving the CISO or the head of cybersecurity align business strategies with investments in technologies and resources. Not everyone has security as a priority or in mind, so their presence is crucial.
What is your expectation in terms of the challenges that the CISO will be facing this year?
Abdulla Al Attas: In terms of ransomware, there may be many incidents, but the approach is going to be different. Cyber attackers always come up with new ways to extort money. The organizations could be attacked, and their infrastructure may be used to attack others, so we need to upgrade our monitoring capabilities to be able to act fast if this happens.
Click on the podchat player and listen to Al-Attas share his opinion on how the role of the CISO needs to be repositioned for a more strategic leadership role in 2022.
- If we look back at 2020 and 2021, security firms and analysts noted an increase in cybersecurity breaches/incidents. Despite the importance given to cybersecurity what are organizations doing wrong?
- In 2022, to what degree is cybersecurity given importance at the C-Suite and Board level? How is this ‘importance’ realised in terms of investments in time and resources?
- To give it the importance it deserves, how should leadership and the board approach cybersecurity?
- What questions should the board be asking itself, the C-suite, the CISO-CIO when it comes to cybersecurity in 2022?
- What will be important to the CISO in 2022?
- What do you see as challenges facing CISOs in 2022?
