As businesses embark on a digital transformation journey, there is a long list of considerations that need to be considered. From employee communications to systems integration, executive teams need to work to ensure they’re assessing the situation from every angle. This must include understanding where cyber risks lie and how they can be mitigated.
Cyber security is an area that is all too often overlooked in the transformation process. Yet, it’s arguably more important now than ever, as new working practices implemented during the COVID-19 pandemic have increased businesses’ exposure to more and increasingly sophisticated cyber attacks. Indeed, the EY Global Information Security Survey 2021 (GISS) found that 77% of cyber security leaders surveyed had witnessed an increase in the number of disruptive attacks over the past year.
These threats are exacerbated by the fact there is often a disconnect between the chief information security officer (CISO) and other members of the C-suite – a situation that seems to be getting worse, not better. In 2021, just 19% of cyber security professionals surveyed felt that they were consulted in the planning stages of new business initiatives, down from 36% in 2020. For leaders to implement technological transformation successfully without exposing their businesses to additional cyber risks, a more collaborative partnership with other parts of the business must be established.
How to empower your chief information security officer (CISO)
Security as a story
Poor communication between the CISO and business unit heads is a major barrier to safe and successful business transformation. To properly educate people within the organisation about the realities of a cyber attack, the CISO must move beyond data, buzzwords and technical jargon and tell a story that brings the threat to life for those without subject-matter insight. If the CISO can intelligibly and clearly articulate the threats and the steps necessary to mitigate them, they are much more likely to capture executives’ attention and help ensure that all key stakeholders understand the trade-offs between new technology and added risk. If they’re able to adapt their language to specific individuals and business functions, they’ll have even greater success. For instance, a chief marketing officer is most likely interested in the risks to customer data, while chief financial officers will want to better understand how to secure banking information.
As Darren Kane, chief security officer at NBN Co in Australia, who took part in a qualitative interview for this year’s GISS, said: “CISOs still have more work to do in breaking down the communication barriers by talking in less technical language for boards to better understand potential business risks.”
The way CISOs position their teams with respect to relationship building is also important. CISOs need to help ensure their people have greater exposure to other functions. As Kane put it: “Cyber folks have had a reputation for occupying basement levels of an office building, but with cyber risk now one of the top operational risks of any enterprise, cyber teams should be out more and getting greater exposure to other parts of the business.”
As part of their efforts to build stronger networks within their organisations, CISOs should also work to ensure that whomever they report to – typically a chief risk or IT officer – is properly equipped to act as their representative to senior decision-makers. Doing so will help ensure that the business’s cyber security issues are being raised from more than one source and that a common language is being used to reinforce a consistent narrative.
Finally, educating executive teams is crucial. Tech transformation is a priority for many CEOs, but they often fail to acknowledge that the pursuit of this inevitably increases the chance of a security breach. In their enthusiasm to enact change, they may unintentionally expose their business to unnecessary levels of risk, which could potentially threaten the entire transformation effort. CISOs should therefore proactively engage with CEOs to raise their awareness of the associated risks and, most importantly, offer guidance on how to address them. In doing so, CISOs can help business leaders better weigh the risks and benefits of transformation decisions.
It is clear that cyber security is central to an organisation’s efforts to transform and deliver long-term value. To help ensure that transformation is progressed safely, CISOs need to take a more active role in helping leadership teams recognise their integral place in the transformation journey.
