Evolution of cybersecurity strategies: implications for business

In strategic transformations, cybersecurity becomes a leadership and board topic, yet few cyber strategies meet needs of today’s business.

In Brief:

• Leaders’ increased responsibility and uncertainty in protecting the digital business are due to gaps in planning and core business enablement.
• With changing demands, strategic cybersecurity planning should be highly integrated with wider company direction and value drivers.
• When boards and leadership teams seek business-oriented cybersecurity support, a reshuffle of security leadership might be on the horizon.

The changing role of cybersecurity at the top management

In the past 10 years, cybersecurity, as a common domain, has seen enormous advances, increasing collaboration across national-level steering groups and global industry expert organizations. Yet, at the same time, top-level leadership confidence seems to be stagnant or even decreasing.

The main factors behind the uncertainty are more traditional and less cybersecurity-capabilities-focused — leadership responsibility is increasing. These expectations continue to grow with new regulatory changes across the Western world. Meanwhile, the way cybersecurity is managed and developed remains operational-focused.

The “Seven priorities for EMEIA boards to transform their 2022 agenda” study by EY indicated cybersecurity as one of the seven priorities. Other organizations and researchers have made similar observations. The reasoning behind the growth from a subset of IT to a board priority is equally clear: businesses depend more on the operational resilience of digital environments, and business risks are digitally driven.

Yet, in EY Global Information Security Survey 2021, just 9% of boards were extremely confident of the organization’s ability to protect core operations against cyber threats. As businesses transform, cybersecurity teams must continuously re-evaluate end-to-end plans, partnerships and capabilities.

Cybersecurity strategy or strategic planning of cybersecurity

That leads to the first point: proper strategic planning. To ensure cybersecurity is not just a subset of IT, plans must reflect wider strategic business and IT objectives.
 
European Union Agency for Cybersecurity (ENISA) has stated that “(states) need to have flexible and dynamic cybersecurity strategies to meet new, global threats.” This same approach applies to private sector entities redefining cybersecurity direction — strategies should be objective-driven and dynamic for rapid changes.

Currently, the majority of cyber “strategies” are tied to long-term, often technical transformations. This leaves little room to change or support other parts of the business when new objectives are set, sudden changes are seen in the operating environment, or geopolitical tensions force reactions.

Taking the approach a step further, all cyber initiatives should be traceable back to strategic business objectives. If the links between strategic cyber initiatives and business objectives are lacking, the changes might support the surrounding operating environment only partially.

These types of strategic mismatches are further seen in activities such as:

• Organizational carve-outs due to the inability to segment core cybersecurity areas and business unit and operation-relevant areas.
• M&A integrations — the majority of deals will introduce overlapping cybersecurity capabilities, unallocated resourcing and new vendors. However, due to the lack of overarching objectives and decisions, rather than creating synergies, cybersecurity creates unnecessary layers and costs with little impact on overall posture.
• Organizational transformations due to strategic direction impact the ability to perform core cyber operations efficiently.

In addition, even recently, many security strategies were tied to multi-year programs with little room for flexibility and adjustment. Thus, the decision made today reflected only the current ambitions and objectives. By the end of transformative programs, areas were still in development mode due to shifted needs and business direction. Additionally, transformations tied to improving the maturity of cybersecurity posture rarely meet the set target states.

The new era of long-term cybersecurity planning and expectations for modern security leaders

These observations have led leading organizations across sectors to segment development objectives into smaller pieces rather than planning mega programs with bigger individual outcomes. 

Interviews with some of the leading organizations across sectors have shown the following similarities both in approaches and outcomes:

• Objectives are highly linked to key strategic targets of the business.
• Transformative programs are reviewed more often, and hard decisions to change or quit are made faster.
• Security technologies are not the drivers but the tools; decisions are not made based on technical capabilities.
• Plans are shorter and future target states are not defined by nature.
• Chief Information Security Officers (CISOs) leading strategic changes are equally recalibrating their approaches.

Point five leads to the final observation: the changing expectations for CISOs. Traditionally, CISOs have grown within organizations and have become more technical security experts. However, the latest developments have shown similar patterns to CEOs, CIOs (Chief Information Officer) and other C-suite reshuffles, with CISOs joining from outside the organization to bring new strategic thinking to cybersecurity development. From the board and executive leadership perspective, the reasoning is often two-fold.

First, many CISOs are perceived as too technical and day-to-day operations focused. Often technically savvy CISOs rising to executive leadership discussions are not equipped with long-term strategic focus and business acumen needed for communicating to the rest of the leadership. The focus on operational upkeep is often tied to organizational culture and how the role of cybersecurity has been viewed prior changes in expectations. When changes happen, CISOs are often not given reasonable support to transform their role or the mentoring needed to communicate the right topics in the right way to the audience. In such situations, the rest of the executive leadership might view cybersecurity as “too complex” or irrelevant to executive-level discussions. Thus, information is presented through a middle ground, often by another C-suite member, such as CIO or CRO.

Secondly, risks and threat-focused CISOs are seen as obstacles to business development, major overhauls of business, or taking steps into new, uncertain areas. The complexity of today’s digital world has created a culture where it is easier to say “nay” than “maybe.” While risks and threats will always remain part of cybersecurity by nature, these absolutes are a red flag for other executives.

Steps to take as an organization and as a security leader

Overall, corporate cybersecurity practices are going through cultural changes. While main operations will focus on traditional aspects such as ensuring confidentiality, integrity and availability, the executive-level expectations for security’s role are wider. Cybersecurity is no longer a subset of IT due to its reach and dependency on multiple parts of the business. To develop cybersecurity aligned with business needs, the strategic focus needs to be more widespread.

Lastly, CISOs in the middle of these cultural changes need to become more business-fluent, long-term focused and culturally fit for executive leadership roles to maintain positions. As with other executive positions and as already seen in some parts of the world, CISOs’ tenures will be shorter as companies seek fresh thinking to drive strategic changes when cultural clashes between the board, executive teams and security leaders are too fundamental.