How can CISOs shift from protecting data to enabling transformation and growth?

In this year’s GISS, 55 Swiss companies (53% from the financial services sector and 47% from other industry sectors) have actively participated and shared their situation and challenges regarding cyber risks and cybersecurity. 63% of Swiss respondents say ensuring compliance in today’s regulatory landscape can be the most demanding and challenging part of their job. And 85% believe regulation will continue to become more fragmented — and therefore more time-consuming — in the years to come.

No wonder. Europe presents a myriad of compliance challenges, with robust European Union-level and Swiss requirements, such as General Data Protection Regulation (GDPR) and the upcoming Digital Operational Resilience Act, as well as growing Swiss requirements, particularly on industry sector levels (e.g. for financial services).

In the words of Tom Schmidt, EY Switzerland FSO Cybersecurity Leader and EMEIA FSO Cybersecurity Competency Leader: “If you are a Swiss headquartered international organization with subsidiaries in the EU and in overseas jurisdictions managing the different, overlapping and sometimes even conflicting regulations can be very challenging, especially in regulated financial services and industry sectors”.

In this environment, 60% of Swiss respondents warn that cybersecurity compliance requirements do not always drive the right focus and behaviors.

“There is a clear trend that governments and local regulators are focusing much more on cyber risks and come up with new binding requirements from their own perspective that might have a very sector specific or local touch,” says Tom Schmidt. “What the Swiss companies are facing is a global cyber threat. Cyber attackers don’t care in which countries an organisation sits and where the organization’s operational boundaries are.”

The tension continues to grow, with the turmoil of the past year and more months, exacerbating CISOs’ difficulties. Almost 6 in 10 (56%) Swiss respondents fear that the COVID-19 pandemic, along with rapid changes to working practices, have increased their risk of non-compliance.

How, then, can organizations manage the conflict between localized regulation and globalized operations? Certainly, CISOs are going to have to accept that the answer will not simply be to demand ever more resources. Just one in four (24%) Swiss respondents in this year’s GISS believe regulation is helping them make the case for additional cybersecurity spending.

The key will be to seize the initiative. Cybersecurity leaders should therefore take these key steps:

• Build a business case for investment in cybersecurity that is closely aligned to the enterprise’s strategic goals.
• Seize the upside of compliance and trusted data — for example, identify the revenue generation and cost-saving opportunities that the enterprise may enjoy when customers trust you with their data.
• Reposition the cybersecurity function as an enabler of transformation, innovation and business growth.

"Swiss companies are becoming increasingly global or aligned with different markets globally. This creates many advantages, but also some regulatory challenges in terms of cybersecurity. Among these, I don't just count the GDPR or EU law that affects Swiss companies, but more and more various industry-specific regulations. I also include cloud technology as a driver for cybersecurity regulatory requirements which must be addressed at an early stage of every going-cloud project," says Roman Haltinner Europe West Cybersecurity Competency Leader Switzerland.

The CISO’s role now reaches further than ever before. As organizations have moved to remote and flexible operating models, the pandemic has exposed them to new vulnerabilities. But this is only part of the broad ecosystem that organizations must consider and protect: businesses’ supply chains are stretching the potential attack surface for bad actors to target.

In this context, 42% of Swiss respondents agree that the third and fourth parties in their supply chains represent the greatest compliance risk to their business. Only 18% are confident that their entire supply chain is water-tight in its ability to defend and recover against bad actors.

"It's absolutely necessary, and it's going to take a lot of effort, to look at the entire value chain," says Roman Haltinner. "The boundaries between companies and their third parties are fluid. If you want to secure your supply chain, then you need to identify the risks and strengthen resilience with adequate measures end to end.”

CISOs must now work with their colleagues in areas such as procurement, finance, compliance and operations to track how supply chains and working practices are evolving to support the business’s objectives. They should:

• Map the organization’s supply chains and ecosystems to decide what is in scope.
• Identify the additional compliance exposures created by such relationships.
• Evaluate the resilience and vulnerability of the enterprise’s networks.
• Assess the risk and plan for mitigation.
• Collaborate across the enterprise with all stakeholders to identify areas of weakness.

The ability of CISOs and the wider cybersecurity function to work in unison with the rest of the enterprise will be a particular focus. Right now, just 4% of Swiss respondents believe cybersecurity is regarded as a commercially minded function by the broader organization; only 5% believe colleagues in other functions would say cybersecurity “speaks the language of the business.”

This must change. From a resourcing perspective, CISOs who can articulate the business case for allocating increased budget to cybersecurity will find it easier to secure the support they need. From a compliance viewpoint, cybersecurity will meet localized requirements through closer engagement across the enterprise. Most crucially of all, CISOs seeking to become strategic enablers and value drivers will succeed if they lead a cybersecurity function that is seen to be working to facilitate business transformation.

The time to deal with this issue is now. “For the future success to fight cyberattacks successfully and to implement the right cybersecurity measures it will be crucial that CISOs understand the business of the organization, the organization’s strategy and that they are also able to speak the language of the business and to instill cyber awareness throughout the organization”, says Tom Schmidt.

Equipping cybersecurity for the broader and more engaged role that it must now play is a task that starts at the top of the function. Here are the next steps:

• Redefine the role of the CISO and reassess the competencies required.
• Develop an operating model for meeting this role definition.
• Build out the skills base across the cybersecurity function, with an emphasis on business engagement as well as technical skills for all.

It is not only to the rest of the business that CISOs must reach out, but also to their boards. The evidence of this year’s GISS is that pitching for additional budget on regulatory and compliance grounds alone looks increasingly futile, even in the face of fragmentation. Yet it is clear boards recognize the threat and cybersecurity. In the EY Swiss Banking Barometer 2021 study the topic “cybersecurity” in the area of risk and regulation is at the top of the list of the specific topics that the banks are dealing with in their daily business.

A value-focused mindset around value creation and transformation — not just value protection and recovery — will resolve some of the difficulties that CISOs run into when engaging with their boards. Just 58% of Swiss respondents believe their board and executive management team always fully understands the value and needs of the cybersecurity team function; 38% believe that when they make the case for increased funding, the board may have trouble understanding their arguments.

But regulation, security and resilience are only part of the conversation. “The CISOs need to develop in the role of the internal business partner. In some companies this transformation has started, others are still at the beginning” says Tom Schmidt.

The result is that the cybersecurity function is not getting involved as much as it should be in transformation. In this year’s GISS, 43% of Swiss respondents warn that their cybersecurity teams are frequently not consulted or are consulted too late when urgent strategic decisions must be made.

Collaboration between the board, the business and cybersecurity is critical and increasingly urgent. "The role of the CISO should evolve to one that is no longer seen as a barrier to new business areas, but act as a business enabler as cybersecurity increases confidence in innovation. This helps companies to improve business operations and build trust," says Roman Haltinner.

CISOs therefore must:

• Ensure their boards understand their role in setting cybersecurity in the broadest sense.
• Reach consensus on cultural shifts such as security by design and, in the context of flexible and remote working, zero trust.
• Build a business value case for cybersecurity budget and resourcing¹.
• Run boardroom pilot risk exercises, alongside the CIO; these exercises might stimulate a cybersecurity breach or other incident, to illustrate the risk and demonstrate the plans in place to manage it.

Prepare for growth

The evidence of this year’s GISS is that CISOs across Switzerland and Europe face a dilemma: they must cope with a regulatory environment that is fragmenting fast, while working with boards that do not see compliance as a justification for writing ever larger checks. To square the circle, will require the cybersecurity function to think about how to play its part in business growth.

This will require CISOs to build much stronger relationships with other business leaders, particularly in areas such as product development, sales and marketing. Right now, only 7% of Swiss respondents characterize their relationship with marketing as very positive, with 41% regarding it as negative or no relationship at all.

CISOs have made much more progress with colleagues such as the chief risk officer, with 60% of Swiss respondents pointing to a relationship of high trust and consultation. Now they must reach out to the rest of the enterprise.

Critically, this engagement will help CISOs meet the challenges of localized regulation. The key will be to build operating structures with common standards, which nonetheless mirror the way in which the business has developed.

This is not to understate the scale of the task that lies ahead. With threat levels elevated, CISOs must map the exposures and resilience of their entire ecosystems, build compliant structures that mitigate risk and prepare for response, and focus on enabling growth. This will require cybersecurity to acquire a broader skill set and to consider new leadership structures.

The prize for those CISOs who rise to the challenge is a valuable one. They will not only retain their status as protectors of the organization’s data and security, but also become trusted enablers of value creation and transformation.