“Security by Design”, or having cybersecurity as a central consideration from the start of each new project, is critical to avoid imperfect and costly solutions or impractical work-arounds.
CISOs must take the lead in showing their teams how to improve their relationships with the rest of the business. In part, it is a simple case of investing time and effort. However, they will also need to change the nature of their interactions by becoming problem-solvers instead of fault-finders.
Change reporting structures and metrics
CISOs and the rest of the organization can only enhance cyber resilience by building trust and collaboration. This is seen in successful organizations today that effectively leverage enterprise diversity — such as business line owners, customer management, marketing, fulfillment, talent management and technology. They not only recognize that collaboration can take place organically, but also intentionally work on uniting and radically transforming how the business operates and serves its customers.
This poses a fundamental question of whether the hierarchical structures that worked before are still relevant, or whether cross-functional teams with a common purpose can be more effective for change to happen.
Respondents in the GISS said that 37% of SEA CISOs report to the organization’s CIO and only 20% report directly to CEOs. The former’s traditional reporting structures could leave cybersecurity in a less strategic position, with the CIO required to act as a conduit. CISOs must seize the opportunity to collaborate more closely with the business lines implementing the changes, and to play an active role from the start.
Beyond transforming the reporting structure, there will only be deeper trust and meaningful dialog when a common understanding and language are established between business owners and CISOs. The latter must articulate the return on cybersecurity investments needed in business terms. CISOs will need to develop new reporting metrics that are able to directly tie business drivers to what cybersecurity is doing to enable them, justifying its expenditures and effectiveness.
While the abovementioned issues will take effort to address, challenging stereotypes, rebuilding relationships and proving cybersecurity’s full value to the organization are essential steps that CISOs will need to take to move forward in their role. They also need to ensure that traditional means of securing the environment keep pace with the needs of emerging technologies, increased connectivity and innovation, in order to continue building trust within the organization and with external stakeholders.
By moving from a defensive position to one that proactively enables the business in innovation, CISOs will be able to help their organizations to transform safely and securely in this digital era.
Former EY Partner Gerry Chng wrote this article.
Summary
CISOs must transform their role beyond that of a technologist to become a business partner. In order to be effective in this expanded role, they will need to diversify their skill sets, challenge stereotypes, rebuild relationships and prove cybersecurity’s full value to the organization.
They also need to ensure that traditional means of securing the environment keep pace with the needs of emerging technologies, increased connectivity and innovation, in order to continue building trust within the organization and with external stakeholders.