Cybersecurity is an evolving topic of interest. Only a couple of decades back, the title of Chief Information Security Officer (CISO) did not even exist. What cybersecurity was and people's work in this field seemed very convoluted. It seemed like some technical back office function businesses had, but not everyone fully understood why. Although, today, you constantly hear about cybersecurity.
Today, cybersecurity is a business enabler; it gives companies a competitive advantage against their competitors. A company that puts security and risk at its core will earn customer trust, ensure business continuity, navigate changing landscapes, and scale for growth. Cybersecurity informs and impacts various aspects of our daily lives unexpectedly.
“I think there’s some catching up to do, but now, more than ever, cybersecurity is considered a business partner; they have a seat at the table when there are business decisions being made because the risk of not doing so is so high,” said Rinki Sethi, VP and CISO of Bill.com.
Cybersecurity is a core function of the business. Excluding cyber leaders from the decision-making process sets the company up for failure. If the CISO or CIO is siloed from the company’s business objectives, there is no possible way for the business to be fully secured.
In a keynote from STRONGER 2022, a panel of world-renowned CISOs, CIOs, Board members, and CyberSaint's CEO joined to discuss how they're breaking down the barrier between cyber and the rest of the C-suite to enhance security and secure business growth.
Challenges to Cyber and Business Leadership
One of the most prominent challenges leaders encounter is the sheer volume of daily threats facing the business. How can companies contend against that while ensuring business continuity? Alongside increased hacking, is an increasingly competitive job market. How do they hire the right talent for cyber and IT roles? And how do they retain this talent? With budgets shrinking, leaders need to find a way to retain talent while keeping their teams motivated. Lastly is corporate commitment; organizational leaders must band together to lead the company with aligned objectives. Security does not impede business success; it propels business growth and success.
“If you're on an island as a CISO or a CIO and the business isn't behind it, everybody's doing their thing. You're destined for failure,” explained Jerry Layden, CEO of CyberSaint.
Building Partnerships Across the Organization
Cyber leaders must consider several key questions to build connections throughout the organization. What makes cybersecurity so challenging to communicate with business leaders? Why is there a growing amount of security training fatigue?
According to research conducted by Summer Fowler, Chief Corporate Responsibility Officer at Argo AI, on policy and training fatigue, findings concluded that security discussions relied heavily on external factors that could lead to a breach. Phishing, ransomware, and business email compromise are all critical attack vectors to understand, but they are not the only things putting the business at risk. Numerous internal activities within daily operations can be a risk.
Security leaders must strike a balance between discussing and raising awareness of external threats and internal threats. Consider whether or not the business has the correct process for changing account information when paying a third party. Are product developers so stressed about meeting a deadline that they look for a way around cybersecurity, not with malicious intent, to get their work done?
“The first step is to listen to other business leaders about their goals, what they need to achieve, what the challenges are, and specifically, ask them what are some of the technical challenges they have with what is in place,” explained Fowler.
These friction points may be a combination of procedural, policy, and cybersecurity challenges. Addressing these issues will take more than just the security leader or executive leadership. This connection will guide the business to a path of building for other business leaders to achieve their goals and, in turn, build a team of champions and a team that trusts cyber.
Shared Accountability Between Business and Security
In the past, cybersecurity was considered a siloed technical function that few understood. Now, as news headlines and on the minds of many, there’s an expectation customers have of businesses. They entrust the company with sensitive information as they expect privacy and security.
“That means that as a security practitioner, you gotta be plugged into every single part of the business, and it's not just about managing risk,” explained Sethi. “We want to make sure that our business partners understand the risks, that they're able to manage the risks own the risk, and that there's a partnership there. There has got to be shared accountability.”
Now that we need shared accountability, how can security professionals introduce it to business leaders? Security is a key business enabler, and CISOs need to show the data proving that security enables business and the advantages of this shared partnership. For example, CISOs can report on a lower frequency of incidents and how that has driven revenue since they have built security out from the start and do not face any downtime.
CISOs must standardize their reporting to the Board of Directors and executive management. And not just technical details but the value and impact of security on the business. They need to report on how investing in cyber is investing in the business.
The End of the Silo
As the number of threats grows, business and cyber leaders need to come together to align their objectives. Leaders need to ensure that business and cybersecurity plans support and contribute to the resilience and success of the business. This starts with building solid partnerships across the organizations and fostering shared accountability within the executive leadership team.
Gain insights on leadership trends and best practices in our keynote session. Contact us to learn more about CyberStrong’s advanced reporting capabilities and how it can scale your risk management program for growth.