More than half of TMT cyber leaders (58%) say their organizations roll out new technology to timescales that do not allow for suitable assessment or oversight from a cybersecurity perspective.
Many TMT CISOs also report that their organizations sidestep cybersecurity when making transformations at speed. The shift to remote operations provides a good example: 55% of sector respondents acknowledge that business teams bend cyber processes to facilitate new requirements around flexible working.
CISOs might blame other business functions for being inflexible or working to unrealistic deadlines, but blame will not fix the issue. “There is distrust with business units, and what this suggests is that CISOs are not fully integrated,” says Lovejoy.
A more effective approach would be to reach out and build bridges across the organization. Few CISOs in TMT enjoy strong relationships with key functions. Approaching half (48%) characterize their relationship with marketing as poor, while 56% complain of negative interactions with HR. Meanwhile, 33% have unsatisfactory relationships with product development. In such a scenario, expecting to be consulted at the planning stage of new initiatives is likely to be a false hope.
CISOs should be prepared to take the initiative in improving these relationships, and there is reason to believe that they are acknowledging the need to do so. Half say their top priority after COVID-19 is to embed a culture that embraces security by design.
Rising to the challenge: How TMT CISOs can respond
As threat actors step up attacks on the sector, TMT CISOs are under pressure to act. Three responses may prove critical.
1. Look beyond compliance for cross-functional leverage
In the past, CISOs have frequently used compliance as a justification for rolling out cybersecurity measures. Telling peers that they must adopt a cyber policy “because regulation says so” does not, however, carry as much weight as it did. Nonetheless, the research suggests that CISOs are relying heavily on regulation, with 94% agreeing that compliance drives the right focus and behaviors.
In practice, the key to stronger relationships lies in engaging on the issues that are front of mind for business partners, with a focus on commercial and strategic drivers. “The most important aspect of a CISO’s job is being able to tell the story”, argues Andy Ng. “You have to speak to the corporate narrative in addition to the security and technical one. The role is arguably that of the ‘Chief Information Soapbox Officer.’”
2. Invest in new skills development
Less than half of TMT CISOs (42%) are confident that they have access to the skills they need. These skills must extend beyond technical competency: effective cybersecurity increasingly relies on commercially minded team players who can engage positively with the rest of the business, especially if they are relying less on regulation as a driver.
Right now, however, little less than half (43%) of CISOs in the sector are confident that their teams speak the same language as peers across the business.