Information leaders in digital businesses, whether focusing on optimization or a full transformation, are inherently altering their position among the executive leadership. As we’ve written about before, information leaders (especially information security leaders) have previously been seen as gatekeepers and defenders of the organization in the digital world. These leaders and their teams represented the select few that understood the workings of the technologies that empowered the entire organization and oftentimes these rest of the enterprise would defer to them. While this model was sufficient in the era of selective technology adoption, this model now positions information security leaders as bottlenecks to company growth and innovation.
Information and information security leaders are uniquely positioned to lead organizations through digital transformation and optimization initiatives, it is the time that follows that these leaders must be prepared for. The changes that fundamentally alter the processes and practices that define an organization, also alter the dynamic of the executive team. Specifically, in a digitized business, IT risk is now decentralized as IT doesn’t own much of the technology being adopted by a post-transformation organization.
A digital CISO is defined by the shift from a peripheral technical leader to an integral business leader that secures an increasing percentage of enterprise data. Gartner outlines six principles that digital CISO must use to inform their strategy and practices following a digital transformation or optimization:
- Risk-based thinking over checkbox compliance
- Supporting business outcomes instead of protecting infrastructure
- Facilitating not defending
- Determining the flow of information, not controlling it
- People-centric, not technology
- Detecting and responding, not chasing perfect protection
Shifting to risk-based thinking
The driving force between risk-based and check-box thinking is the source of who prioritizes the risks in your organization. For checkbox compliance, that would be the regulatory body that issues the compliance requirements but their concern is not the integrity of your organization’s cybersecurity program - their interest is the integrity of their supply chain or the posture of an entire industry. While your organization’s cybersecurity posture plays a role in that, it is not a priority.
A risk-based approach prioritizes your organization in developing a cybersecurity program. Risk-based thinking aligns itself with the strategies of the enterprise rather than the interests of another party. This methodology is based not on the risk perceived by IT, rather, weighing the risks against business outcomes. The paradigm shift necessary for a CISO following digitization is looking at risk not as high/low but rather good/bad. Risk-based thinking looks at IT risk in the same way that other business units assess risk: is the potential payoff worth the risk, and are we willing to accept them?
Supporting Business Outcomes
Given that a digitization initiative moves IT teams from an enabling position to a critical aspect of business operations, information security leaders must be prepared to communicate the effectiveness of their program in the same fashion as any other business unit. For cybersecurity teams, they must be assessing their program based on the impact of what happens to the organization if….
Further, information security teams must be prepared to change their tactics for securing the organization given the decentralized nature of technology in a digital business. Of the seats at the executive table, information leaders must look to the CMO, CFO, HR leader, and board of directors to ensure buy-in and convey relevant outcomes.
The interaction between marketing and information teams is becoming more and more ubiquitous - marketing teams rely on increasing amounts of customer data to attract, retain and convert more customers and information teams have that information. For information security teams specifically, you must be prepared to discuss the outcomes with non-compliance of such regulations as GDPR, the risk of storing sensitive customer data and the benefits of having that data.
Information security and finance teams have co-evolved for longer than marketing and infosec teams. Given the sensitive nature of the financial data collected from customers, information security teams have had to focus on finance teams from a security standpoint. This relationship has the potential to expand further: with information teams using AI tools to identify opportunities for cost reduction and suggestions for talent recruitment in an increasingly digitized financial world.
While the relationship between security and finance teams goes further back than others, the relationship can be contentious - finance teams are remarkably risk-averse and successful information leaders must be prepared to meet finance leaders in the middle.
As people leaders, human resources leaders are increasingly overwhelmed by the organization’s demand for more technical talent. Look to the job boards and see that the talent pool for any position demands more and more digital literacy. Information and information security leaders are powerful resources for this new recruitment effort as their primary objective is to stay at the forefront of new technologies and risks.
Board of Directors
Previously, the relationship with information security leaders and the Board was built around the question of “What happened?” following a breach. Today, though, that reactionary relationship is not sufficient. Boards are taking a proactive approach in the cybersecurity posture of their organizations and information security leaders are the face of that effort. In a digitized organization, information security leaders must convey the risks associated with the strategy outlined by the CEO and the Board. Information security leaders must be able to communicate the risk landscape and articulate their strategy to mitigate the risks facing the organization.
Facilitating, not defending
As seen with the changing relationship with the Board, information security leaders are shifting from static defenders of the organization to canaries in the coal mine - security leaders are the most aware of risks associated with a given technology and strategy. Their role is no longer to be a barrier against the rest of the organization but facilitating dialogue and awareness across the enterprise about the risks facing the enterprise. In this case, fragmentation and silos must fall away and a flexible, integrated organization must rise.
Determining The Flow Of Information
With the change from an island to ecosystem model, most organizations rely on a host of vendors and members of their supply chain. There is more information flowing through an organization than ever before and information security leaders simply cannot be the bottleneck for controlling all of it. Instead, a digitized CISO must be able to assess the flow of information and ensure that the ecosystem stays secure.
Returning to the decentralized nature of technology within a digitized organization, CISO’s and information security teams must focus on empowering the entire organization to be risk-aware and take the necessary steps (first, they must know the necessary steps). In a post-digitized organization, CISO’s are responsible for securing the entire organization and where technology is ubiquitous, they must realize that securing the organization is based around people, not the technology that they use.
Detect And Respond
In a risk-based organization, there is no such thing as perfect protection. To completely secure an organization is to make it static, to make it static is to stop growth, and to stop growth is the end. Information security leaders must recognize that rather than being gatekeepers, we are now living in a world that accepts data breaches as a regular occurrence. For CISO’s they must invest in a detect and respond program over static controls that limit flexibility.
The priorities of a CISO have not changed, rather, the priorities and approaches have. As information and information security have moved more and more into the spotlight, CISO’s must be prepared to manage their programs in a post-digital world. This means embracing the risk-based practices of integrated risk management, seeking out solutions that empower flexible processes, and establishing relationships with other necessary business units to keep the enterprise secure. As technology becomes ingrained in an organization, it is people and process that will define a successful information security program.