The new Cybersecurity Leader / CISO: the role - Are there any common traits as to what makes a successful security program?
Being successful at a developing a security program it is like trying to solve a complex jigsaw puzzle where the chased final picture is constantly changing during the journey. The CISO must create a strategy that goes beyond technology and comprehends both the strategic business goals and the organizational culture. The cybersecurity discipline should be included in the core business and using the culture as leverage.
To achieve those results, it is important to have a passionate team with autonomy, empowerment, and ownership to get things done, but also to communicate and engage everyone that will lead the program. The criticality is the capability to make it an enterprise endeavor, where people understand the value of it and promote it for the sake of the company.
The relationship with the board - What should corporate boards MUST know about conducting information security?
First, they should understand that in this new digital economy cyber risk is a complex and different risk, more a strategic risk than an operational risk. The Board understand it so they can guide the strategy and perform the oversight of it. They need to understand if the cybersecurity discipline is being considered by all C-suite, or only by the CISO and CIO.
In practical terms, they should at least (i)evaluate how it is inserted in the daily lives, from business operations to strategy discussions, in matters as products, M&As, JVs, emerging tech, data processing, etc., (ii) evaluate which risk approaches are being taken overall, what is the performance compared to the risk appetite, what level of resources are being applied and (iii) monitor the compliant level to the modern and complex regulatory ecosystem, with several cybersecurity and data privacy regulations across the world.
Creating a cyber security culture within the organization - Almost everybody agrees that organizations need a culture of security. How can security leaders help facilitate that type of culture?
I believe that leaving security facilities should be the first thing. The era of the security guardians that, inside their protected rooms, defined and implemented the best controls (in their perspective) must end. The development of security components, from strategy to operations, should by multiple hands, and that will be critical for the sustainability of the program and to leverage people outside of the security organization, as business leaders and tech teams, to disseminate the cybersecurity culture.
Besides that, to create a culture of security you need to understand your organizational culture and check how you can leverage that. Think about creating a security approach focused on heavy policies, procedures and gatekeepers to a startup that has autonomy, empowerment, and trust as values, it doesn't seem to be the right strategy.
Threat landscape and biggest challenges - What are the challenges that the digital economy brings to cybersecurity ?
The new digital economy has been changed the way that the business works to create, capture, and provide value in complex and interconnected businesses. It is super important to understand that now the cyber risk is destroying an entire value chain triggering systemic failures. Unfortunately, it is being the cases on many large corporations nowadays and probably things are going to get worse before it gets better. Companies should clearly understand how it works their digital business system, what components are part of the system and how those parts are connected. Them, they should map the associated cyber and systemic risks to implement a proper strategy to make the business prosper.
Balance between innovation and cybersecurity - How can CISOs / Leaders balance security and innovation?
CISOs must understand how innovation works in the company if they want to enable it. Some companies innovate as a formal process while others as intuitive process across every department. Some innovate in the product when others focus on internal processes. Some apply open innovation, others do it internally. As there are many ways to innovate, there are many possibilities to apply security, and the development of a tailor-made approach is only possible if you work with the right people able to discuss and define what is best for the organization, considering culture, strategy, risks, and organizational goals. The balance should be natural if everyone is putting organizational goals and responsibilities in the first place.
The need for collaboration within and outside the organization - What is the best way to foster an image of information security being there to help support the business rather than just being about the raw technology?
Infosec should be collaborative and very close to the business helping them to create better products, services, operations, etc., considering cybersecurity in the equation. Define the non-negotiables elements but also be able to help finding out alternatives when something will bring a risk beyond company risk appetite. Sometimes, we should be opened to recommend other risk management approaches than mitigating the risk. We, as security professionals, love to always mitigating the risk but accepting right risks should be also okay, enable the company to take business opportunities and could open the path so the company could work on the most critical risks.
Closing statement
The new digital economy demands that we work on different perspectives than only protect and sustain the business. It requires that we, as security leaders, work strategically to ensure compliance to regulations, define proper risk management approaches and enable the business and innovation. It is not an easy task but, unfortunately from the wrong reasons (as data breaches and business disruptions), has been receiving the needed attention of the organization. Now we should take it.
Comentarios