Free Cyber Risk Analysis: Your Top Cyber Risks in 3 Clicks

Get Started
Request Demo

Information leaders in digital businesses, whether focusing on optimization or a full transformation, are inherently altering their position among the executive leadership. As we’ve written about before, information leaders have previously been seen as gatekeepers and defenders of the organization in the digital world. These leaders and their teams represented the select few who understood the workings of the technologies that empowered the entire organization, and oftentimes, the rest of the enterprise would defer to them. While this model was sufficient in the era of selective technology adoption, it now positions information security leaders as bottlenecks to company growth and innovation.

Information and information security leaders are uniquely positioned to lead organizations through digital transformation and optimization initiatives, it is the time that follows that these leaders must be prepared for. The changes that fundamentally alter the processes and practices that define an organization, also alter the dynamic of the executive team. Specifically, in a digitized business, IT risk is now decentralized as IT doesn’t own much of the technology a post-transformation organization is adopting.

A digital CISO is defined by the shift from a peripheral technical leader to an integral business leader that secures an increasing percentage of enterprise data. Gartner outlines six principles that digital CISO must use to inform their strategy and practices following a digital transformation or optimization:

  • Risk-based thinking over checkbox compliance
  • Supporting business outcomes instead of protecting infrastructure
  • Facilitating not defending
  • Determining the flow of information, not controlling it
  • People-centric, not technology
  • Detecting and responding, not chasing perfect protection

CISOs Need to Promote Risk-based Thinking

The driving force between risk-based and check-box thinking is the source of who prioritizes the risks in your organization. For checkbox compliance, that would be the regulatory body that issues the compliance requirements, but their concern is not the integrity of your organization’s cybersecurity program - their interest is the integrity of their supply chain or the posture of an entire industry. While your organization’s cybersecurity posture plays a role in that, it is not a priority.

A risk-based approach prioritizes your organization in developing a cybersecurity program. Risk-based thinking aligns itself with the enterprise's strategies rather than another party's interests. This methodology is based not on the risk perceived by IT, rather, on weighing the risks against business outcomes. Following digitization, the paradigm shift necessary for a CISO is looking at risk not as high/low but rather as good/bad. Risk-based thinking looks at IT risk like other business units assess risk: is the potential payoff worth the risk, and are we willing to accept it?

Supporting Cyber-focused Business Outcomes

Given that a digitization initiative moves IT teams from an enabling position to a critical aspect of business operations, information security leaders must be prepared to communicate the effectiveness of their program in the same fashion as any other business unit. For cybersecurity teams, they must be assessing their program based on the impact of what happens to the organization if….

Further, information security teams must be prepared to change their tactics for securing the organization given the decentralized nature of technology in a digital business. Of the seats at the executive table, information leaders must look to the CMO, CFO, HR leader, and board of directors to ensure buy-in and convey relevant outcomes.


The interaction between marketing and information teams is becoming more and more ubiquitous - marketing teams rely on increasing amounts of customer data to attract, retain and convert more customers and information teams have that information. For information security teams specifically, you must be prepared to discuss the outcomes with non-compliance of such regulations as GDPR, the risk of storing sensitive customer data and the benefits of having that data.


Information security and finance teams have co-evolved for longer than marketing and infosec teams. Given the sensitive nature of the financial data collected from customers, information security teams have had to focus on finance teams from a security standpoint. This relationship has the potential to expand further: with information teams using AI tools to identify opportunities for cost reduction and suggestions for talent recruitment in an increasingly digitized financial world.

While the relationship between security and finance teams goes further back than others, the relationship can be contentious - finance teams are remarkably risk-averse and successful information leaders must be prepared to meet finance leaders in the middle.

Human Resources

As people leaders, human resources leaders are increasingly overwhelmed by the organization’s demand for more technical talent. Look to the job boards and see that the talent pool for any position demands more and more digital literacy. Information and information security leaders are powerful resources for this new recruitment effort as their primary objective is to stay at the forefront of new technologies and risks.

Board of Directors

Previously, the relationship with information security leaders and the Board was built around the question of “What happened?” following a breach. Today, though, that reactionary relationship is not sufficient. Boards are taking a proactive approach in the cybersecurity posture of their organizations and information security leaders are the face of that effort. In a digitized organization, information security leaders must convey the risks associated with the strategy outlined by the CEO and the Board. Information security leaders must be able to communicate the risk landscape and articulate their strategy to mitigate the risks facing the organization.

CISOs Must Facilitate Conversations

As seen with the changing relationship with the Board, information security leaders are shifting from static defenders of the organization to canaries in the coal mine - security leaders are the most aware of risks associated with a given technology and strategy. Their role is no longer to be a barrier against the rest of the organization but facilitating dialogue and awareness across the enterprise about the risks facing the enterprise. In this case, fragmentation and silos must fall away and a flexible, integrated organization must rise.

Determinine the Flow of Cyber Risk Data

With the change from an island to ecosystem model, most organizations rely on a host of vendors and members of their supply chain. There is more information flowing through an organization than ever before and information security leaders simply cannot be the bottleneck for controlling all of it. Instead, a digitized CISO must be able to assess the flow of information and ensure that the ecosystem stays secure.

A People-Centric CISO

Returning to the decentralized nature of technology within a digitized organization, CISO’s and information security teams must focus on empowering the entire organization to be risk-aware and take the necessary steps (first, they must know the necessary steps). In a post-digitized organization, CISO’s are responsible for securing the entire organization and where technology is ubiquitous, they must realize that securing the organization is based around people, not the technology that they use.

Detect And Respond

In a risk-based organization, there is no such thing as perfect protection. To completely secure an organization is to make it static, to make it static is to stop growth, and to stop growth is the end. Information security leaders must recognize that rather than being gatekeepers, we are now living in a world that accepts data breaches as a regular occurrence. For CISO’s they must invest in a detect and respond program over static controls that limit flexibility.

A Digitized CISO

The priorities of a CISO have not changed, rather, the priorities and approaches have. As information and information security have moved more and more into the spotlight, CISO’s must be prepared to manage their programs in a post-digital world. This means embracing the risk-based practices of integrated risk management, seeking out solutions that empower flexible processes, and establishing relationships with other necessary business units to keep the enterprise secure. As technology becomes ingrained in an organization, it is people and process that will define a successful information security program.

You may also like

How to Create a Cyber Risk ...
on June 10, 2024

In today's fast-paced digital landscape, conducting a cyber risk assessment is crucial for organizations to safeguard their assets and maintain a robust security posture. A cyber ...

Critical Capabilities of ...
on June 4, 2024

Continuous Control Monitoring (CCM) is a critical component in today's cybersecurity landscape, providing organizations with the means to enhance their security posture and ...

on May 29, 2024

Artificial intelligence (AI) is revolutionizing numerous sectors, but its integration into cybersecurity is particularly transformative. AI enhances threat detection, automates ...

Critical Capabilities of Cyber ...
on May 20, 2024

In today's digital landscape, robust cybersecurity risk assessment tools are crucial for effectively identifying and mitigating cyber threats. These tools serve as the first line ...

A Practical Approach to FAIR Cyber ...
on May 10, 2024

In the ever-evolving world of cybersecurity, managing risk is no longer about simply setting up firewalls and antivirus software. As cyber threats become more sophisticated, ...

Unveiling the Best Cyber Security ...
on April 24, 2024

Considering the rollout of regulations like the SEC Cybersecurity Rule and updates to the NIST Cybersecurity Framework; governance and Board communication are rightfully ...