Today’s CISO Is Required To Show, Not Tell

Cybersecurity is about what you can do — not what you can’t do. The threat landscape is expanding. Cybercriminals are as entrepreneurial as ever and use increasingly sophisticated tools and technologies. In this fluid environment, we believe Chief Information Security Officers (CISOs) and their teams should adopt a mindset of enablement — cybersecurity is no longer just about prevention. It’s not a matter of telling colleagues what they can’t do, it’s showing them what they can do — securely.

CISO paradigm shift: From enforcer to influencer.

While one of the key lessons of the pandemic is that some of the best cyber teams are able to pivot quickly to enable their organisations to work safely, remotely, and effectively, the broader, more strategic takeaway is that this period has caused organisations to rethink how they engage with and serve their customers in a digital-first environment. This shift in mindset to customer-centricity has led to rapid digital transformation, which has helped customers move at the pace of business, securely. Under this dynamic environment, cyber professionals are transforming from organisational enforcer to influencer. The C-suite is taking note.

According to KPMG 2021 CEO Outlook, a sizeable majority of CEOs (75 per cent) believe a strong cyber strategy is critical to engender trust with key stakeholders.

But within the context of accelerated digital transformation — which augments the risks of an ever-expanding third-party ecosystem — cyber teams also recognise the challenge of protecting their partner ecosystem and supply chains, with 79 per cent indicating it’s just as important as building their own organisation’s cyber defenses. The majority of CEOs (58 per cent) feel they are well prepared for a cyberattack. Indeed, for nearly every organisation, some type of cyber event is seen as increasingly inevitable.

Security teams must be prepared for the increasing inevitability of some type of cyber event and be ready to respond, recover and re-establish trust as quickly as possible to mitigate the damage. At the same time, they must recognise that risk in this environment is a moving and evolving target. From the board to the C-suite and from the front office to back, controls should be in place to protect the organization’s and clients’ high-value assets, the proverbial ‘crown jewels.’

Over the years — and particularly as a result of the pandemic — it has been found that a lack of preparation and being overly reactionary can be as detrimental as the actual event. That’s why it’s so important to have a plan, test your responses according to different scenarios, and understand the depth and breadth of potential cyber incidents. This is an opportunity for organisations across virtually every sector to reimagine their response and recovery strategies and truly shift security left.

On the horizon: Eight CISO priorities

CISOs must wear multiple hats simultaneously, but they can’t be everywhere at all times. While it’s important to remember the oft-heard maxim, “security is everyone’s job,” it’s even more critical to recognise that security is key to building and maintaining customer, client, and stakeholder trust.

Looking toward 2022 and beyond, there are eight areas that CISOs should prioritise at the C-suite and boardroom levels. These themes, along with a focus on the always-fluid regulatory environment, can help executives better understand how cyber can support the business with a security plan based on shared accountability. Whether it’s advanced persistent threats, ransomware, backdoor attacks, or something we’ve yet to see, there will likely always be new perils with which to contend.

But if CISOs and their teams adhere to a disciplined set of principles designed with the organization’s key objectives in mind, and if the plan is up to date and flexible, they can position the organization to mitigate the impact of cyber events.

Eight key cybersecurity considerations for 2022