6 minute read 2 Sep 2021
Meeting in office

How Irish CISOs can play a more strategic role in their organisations

By Carol Murphy

EY Ireland Consulting Partner and Head of Technology Risk

IT strategy and transformation adviser. Effective programme and project management skills.

6 minute read 2 Sep 2021

CISOs need to build better stakeholder relationships. Find out how they can bring cybersecurity to the heart of organisations by doing that.

In brief
  • Irish CISOs need to communicate the risk to gain executive leadership’s support and quantify risk in financial terms where possible.
  • Cyber leaders in Ireland should become business enablers, identify common goals with key stakeholders for specific initiatives.
  • CISOs in Ireland need to move boardroom discussions away from numbers to value of the assets being protected.

Irish cybersecurity functions are underfunded. More than half (52%) of the respondents to the EY Ireland Global Information Security Survey (GISS) 2021 said it is just a matter of time until they suffer a major breach that could have been avoided had their organisations invested more wisely in cybersecurity.

This lack of funding is not merely due to a paucity of resources. It reflects a lack of appreciation at boardroom level for the scale and nature of the threat posed by cyber criminals. It also demonstrates the absence of a cybersecurity voice in key strategy conversations.

The question for Irish Chief Information Security Officers (CISOs) is how they can address the funding issue by playing a greater strategic role in their organisations.

The first step is to move the boardroom discussion away from numbers. If cybersecurity is just another budget line item, it will always be reviewed with an eye to cuts. However, if the discussion is about the value of the assets being protected, the tenor and outcome will be very different. The numbers will centre on potential loss rather than expenditure and the fight for resources will be easier to win.

To achieve that outcome CISOs need to build closer relationships with other key stakeholders in the business including finance, HR, and marketing teams. Their support will be critical when cybersecurity comes up for discussion at board and C-suite levels.

It’s all about relationships

A significant proportion (44%) of Irish CISOs say they have a poor relationship with their organisation’s business heads. At the same time, a high proportion (48% and 42%, respectively) admit to having very poor relation relationships with HR and marketing functions. Those poor relationships can only hamper CISOs in carrying out their functions.

Relationship with HR function

48%

of Irish CISOs say they have very poor relationships with the HR function.

Relationship with marketing function

42%

of Irish CISOs say they have very poor relationships with the marketing function.

Indeed, the lack of insight into areas such as HR and marketing may explain what is probably a false sense of confidence among Irish CISOs. Irish CISOs are, for example, noticeably more confident than their global peers. Six in 10 say they are confident they understand and can anticipate new strategies used by threat actors, compared to only 48% of international respondents.

This high level of overconfidence underlines the need for cybersecurity to be at the strategic heart of the organisation rather than at the periphery. And the way to achieve that shift is by building relationships with key internal and external stakeholders.

CISOs have usually had years of technical and leadership experience, but the type of decisions that they make often go beyond technical considerations and require much broader working relationships. The CISO should aspire to align to the objectives of business stakeholder groups and work to develop strong professional working chemistry.

Becoming a business enabler should be the goal of the CISO. However, conflicting points of view and natural tension between roles are an important part of business and should not prevent CISOs from working collaboratively to solve problems and meet business goals.

Trust is fundamental for a CISO to promote, especially where true mutual value is derived. It is built over time and is based on shared, mutually beneficial experiences. This can, however, be difficult, given that studies show that the job tenure for most CISOs is typically between two and four years.¹ Enduring CISOs have embraced the concept of trusted advisor, where businesses reach out to CISOs for solutions to their security problems.

A 360-degree approach

CISOs need to work on building stakeholder relationships both within and outside the organisation to orchestrate the strategic shifts in the security ecosystem. With the outbreak of COVID-19 accelerating the pace of digital transformation, the Irish cybersecurity leaders need to listen, learn and take a more holistic view of the security needs of the organisation.

The CISO needs to build close relationships with people in key areas such as risk and compliance and IT. So that when investments are being made in new systems or transformation programmes, security has a place at the table.

Here are some of the strategic steps for Irish CISOs to take to present themselves as a key ally in the battle to preserve and protect the organisation’s assets.

  1. The CISO should try to identify common goals with the key stakeholders for their specific initiatives, such as reducing complexity and time through a Security-by-Design approach to technology solutions.
  2. CISOs must also be involved in key decisions at a much earlier stage. Again, this will require building close relationships with people in key areas such as risk and compliance and IT. When investments are being made in new systems or transformation programmes, security must have a place at the table.
  3. CISOs must look beyond their organisations when building stakeholder relationships. Suppliers are critically important. Cyber risk arising from supply chain vulnerabilities must be addressed. A fourth or fifth party may be several times removed from the organisation, but it could still pose a cybersecurity risk.
  4. Customer interests must also be represented. CISOs can become advocates for customer privacy and data protection rights and thereby assist sales and marketing by enhancing the organisation’s brand reputation. CISOs and business stakeholders should align and clearly articulate all data use for risk-based decisions. This is particularly important for personal and sensitive personal data use and protection.
360 Strategy Diagram

Five steps to long-term value

CISOs must demonstrate the ability of cybersecurity to add long-term value across the organisation. This begins with finance and the reduction of the risk of the organisation suffering a devastating cyberattack or fine for data or privacy breaches.

A CISO should be a builder and disruptor, bringing innovative solutions in a measured and proportionate manner.

Innovative approaches to security automation will be an essential tool in a CISO’s arsenal.

The five steps Irish CISOs can take to build better relationships with the board, business heads, HR and marketing functions are:

By taking these steps CISOs can achieve a fundamental change in their standing within their organisations and ensure they are consulted earlier, receive adequate resources, and become viewed as value adding rather than cost increasing.

Summary

Cyber leaders in Ireland need to look beyond their organisations when building stakeholder relationships. To bring innovative solutions in a calibrated manner, they need to assess key business stakeholders’ satisfaction with the performance and delivery of security services.

About this article

By Carol Murphy

EY Ireland Consulting Partner and Head of Technology Risk

IT strategy and transformation adviser. Effective programme and project management skills.