Cybersecurity is about what you can do — not what you can’t do. The threat landscape is expanding. Cybercriminals are as entrepreneurial as ever and use increasingly sophisticated tools and technologies. In this fluid environment, we believe Chief Information Security Officers (CISOs) and their teams should adopt a mindset of enablement — cybersecurity is no longer just about prevention. It’s not a matter of telling colleagues what they can’t do, it’s showing them what they can do — securely.
CISO paradigm shift: From enforcer to influencer.
While one of the key lessons of the pandemic is that some of the best cyber teams are able to pivot quickly to enable their organisations to work safely, remotely, and effectively, the broader, more strategic takeaway is that this period has caused organisations to rethink how they engage with and serve their customers in a digital-first environment. This shift in mindset to customer-centricity has led to rapid digital transformation, which has helped customers move at the pace of business, securely. Under this dynamic environment, cyber professionals are transforming from organisational enforcer to influencer. The C-suite is taking note.
According to KPMG 2021 CEO Outlook, a sizeable majority of CEOs (75 per cent) believe a strong cyber strategy is critical to engender trust with key stakeholders.
But within the context of accelerated digital transformation — which augments the risks of an ever-expanding third-party ecosystem — cyber teams also recognise the challenge of protecting their partner ecosystem and supply chains, with 79 per cent indicating it’s just as important as building their own organisation’s cyber defenses. The majority of CEOs (58 per cent) feel they are well prepared for a cyberattack. Indeed, for nearly every organisation, some type of cyber event is seen as increasingly inevitable.
Security teams must be prepared for the increasing inevitability of some type of cyber event and be ready to respond, recover and re-establish trust as quickly as possible to mitigate the damage. At the same time, they must recognise that risk in this environment is a moving and evolving target. From the board to the C-suite and from the front office to back, controls should be in place to protect the organization’s and clients’ high-value assets, the proverbial ‘crown jewels.’
Over the years — and particularly as a result of the pandemic — it has been found that a lack of preparation and being overly reactionary can be as detrimental as the actual event. That’s why it’s so important to have a plan, test your responses according to different scenarios, and understand the depth and breadth of potential cyber incidents. This is an opportunity for organisations across virtually every sector to reimagine their response and recovery strategies and truly shift security left.
On the horizon: Eight CISO priorities
CISOs must wear multiple hats simultaneously, but they can’t be everywhere at all times. While it’s important to remember the oft-heard maxim, “security is everyone’s job,” it’s even more critical to recognise that security is key to building and maintaining customer, client, and stakeholder trust.
Looking toward 2022 and beyond, there are eight areas that CISOs should prioritise at the C-suite and boardroom levels. These themes, along with a focus on the always-fluid regulatory environment, can help executives better understand how cyber can support the business with a security plan based on shared accountability. Whether it’s advanced persistent threats, ransomware, backdoor attacks, or something we’ve yet to see, there will likely always be new perils with which to contend.
But if CISOs and their teams adhere to a disciplined set of principles designed with the organization’s key objectives in mind, and if the plan is up to date and flexible, they can position the organization to mitigate the impact of cyber events.
Eight key cybersecurity considerations for 2022
- Expanding the strategic security conversation
Change the conversation from cost and speed to effective security to help deliver enhanced business value and user experience.
- Achieving the x-factor:
Critical talent and skillsets Transform the posture of CISOs and their teams from cyber security enforcers to influencers.
- Adapting security for the cloud
Enhance cloud security through automation — from deployment and monitoring to remediation.
- Placing identity at the heart of zero trust
Put IAM and zero trust to work in today’s hyperconnected workplace
- Exploiting security automation
Use smart deployment of security automation to help realize business value.
- Protecting the privacy frontier
Move to a multidisciplinary approach to privacy risk management that embeds privacy and security by design
- Securing beyond the boundaries
Transform supply chain security approaches — from manual and time consuming to automated and
- Reframing the cyber resilience conversation
Broaden the ability to sustain operations, recover rapidly and mitigate the consequences when a cyberattack occurs.
Anthony Muiyuro is the Associate Director; Cyber Security & Privacy Leader & President, ISACA Kenya Chapter
Want more of this? Join us for the Africa Cloud & Security Summit 17-18 March 2022 at Crowne Plaza.