Cybersecurity has become a hot topic in recent years for chief information security officers (CISOs), as the world has witnessed a rapid increase in cyberattacks, data breaches, data leaks and espionage. The latest World Economic Forum report lists cyberthreats as a top risk to world economies, just behind climate change and natural disasters. Governments have started taking cybersecurity seriously, increasing investment in both defensive and offensive capabilities — and introducing regulations to support legal frameworks.
But are we trying to solve the unsolvable by placing cybersecurity in a similar category to climate change and natural disasters, all of which are intrinsically complex?
When I met with several CISOs, heads of security and leaders of cybersecurity awareness programs to discuss the current threat landscape and how the future of cybersecurity will evolve, we all arrived at similar conclusions:
• Government leaders and business executives may not understand the complexity of cybersecurity.
• Expectations are far from reality.
• Many have not yet come to understand the business value that well-implemented cybersecurity platforms provide.
• Some expect IT security and cyber awareness teams to simply solve cybersecurity issues — but they can't visualize how solutions will affect business success.
• Cybersecurity continues to be seen as a cost to businesses.
Is Cybersecurity An Unsolvable Problem?
IT security teams have become too disconnected from their business while focusing their attention on immediate security threats. They have become reactive to all cyber threats and incidents, while simultaneously attempting to demonstrate value by measuring technology success — a metric that mostly has no correlation to business success and therefore fails to make an impression with the executive board or employees.
This places CISOs in a difficult situation: Find a way to prove business value to the executive board and business peers or fail to get the much-needed funds that will ensure the organization will survive cyberattacks.
Stop Talking Cybersecurity
CISOs are suffering, and we need them to be successful. We have an image crisis that is only getting worse, and we need to rebrand ourselves — and become an enabler of the business and an innovator of technology. In order for a CISO to succeed, we must change our path, and this means potentially rethinking our approach to cybersecurity.
CISOs must invest time listening to their executive board and business peers to learn how they measure their organization’s success. Our role within cybersecurity is not to simply put technology in place for sake of security, but to put technology in place that contributes to business success — while ensuring cyber risks are either reduced or eliminated.
All of this said, what key skills make a CISO successful when it comes to business achievement? Start with these four tips.
1. Think Business First
The CISO must become the bridge between the business and the IT security team to ensure that a business-first approach is made with each and every security decision. How does implementing a security strategy help your business, the executive team, your business peers and your employees be successful in their tasks and goals? In the past, security was typically enforced on the business, typically creating a negative experience and slowing down employees trying to achieve their goals.
2. Drive A Positive Experience
Historically, security may have been a negative experience for your employees. No employee has ever said they enjoy their antivirus software or that it accelerates their efficiency. They don't even notice the firewall that protects them. Their past experience with security has been full of friction; it slows down their laptops and prevents them from doing their tasks. A good CISO will frame their security strategy as a positive experience when it relates to the business. Security must either be invisible or friction-less to the employees' work.
3. Make Security Corporate Culture
Yes, the CISO needs to make security a fundamental core to the business, and employees must never be afraid to speak out when they see something suspicious. Promote a culture where employees are never afraid to ask for advice or report suspicious activity, even if it was the result of something they clicked on. The earlier an employee reports something, the lower the potential impact and cost to the business it will have.
4. Be A Strong Listener
While they must have sufficient technical knowledge, a good CISO must also be a strong communicator. When they speak with the IT security manager and then translate the security needs to the business, they must know when to not talk about cybersecurity and when to focus on business risks, how to reduce them and how to optimize return on investment. A good CISO must also listen to business peers about what their goals are and align their security plans with those needs. Security must be seen as a service to the business.
Reframing Cybersecurity For The Better
The CISO must make a positive impact on the business and, at the same time, empower employees to be a strong, frontline security perimeter. In the end, solely focusing on cybersecurity just won't do the trick. We must set our focus on a business-first approach and use our cybersecurity skills to reduce business risk. Otherwise, cybersecurity will continue to be seen as a cost instead of a value-add.
