Why and how to ensure better alignment between cybersecurity and business leaders in your organization.
In 2020 alone, 81% of APAC organizations suffered one or more cyber-attacks. While the repercussions of cybersecurity failure in organizations are, according to the World Economic Forum, becoming a “clear and present danger” and a critical global threat, it’s surprising that we’re still unable to learn from past mistakes.
Even more surprising is that today, many business leaders at the board level believe that cybersecurity is largely a technology area with little or no linkage to the business. As a result, cybersecurity is not given enough importance and it seems there might be a misalignment in the communication between CIOs/CISOs and other C-level executives.
In today’s cyber-risk landscape, striving for bare minimum security is not sufficient as it may result in a ripple effect of consequences, as cases such as the US energy pipeline clearly show.
What are the actions stakeholders should take to ensure better alignment between cybersecurity and the business? CybersecAsia posed this question and more to Nilesh Jain, Vice President, Southeast Asia & India, Trend Micro.
With many business leaders at the board level believing that cybersecurity is largely a technology area, how should organizations cultivate a cybersecurity mindset in the boardroom?
Nilesh: Executives and directors are responsible for decisions that drive the business, this includes managing cyber risks and safeguarding business-critical technology assets.
One of the most powerful tools in cultivating a cybersecurity mindset among business executives is to engage in cybersecurity education. This can be driven internally by CISOs or organizations may bring in external parties to provide board-level cybersecurity education. This practice can provide business leaders with deeper insight into how security lapses can impact the business, and more specifically, the areas of the business they look after.
When board members are more educated, they ask tougher questions, dig into issues, and make the leap from cybersecurity to business issues. In fact, a recent study found that 85% of corporate boards are more engaged in cybersecurity than they were two years ago – all from actively pursuing cybersecurity education.
When businesses are pursuing new initiatives, they should include cyber risk as a recurring agenda item for board meetings, making it a requirement for each member to report on the cybersecurity implications of their activities. This helps to hold business executives more accountable to cybersecurity considerations and may even propel them to engage with CISOs and other industry experts more regularly for insights.
What role can CIOs/CISOs play to ensure better alignment with other C-level executives to shape the future of cybersecurity within organizations?
Nilesh: There are multiple steps that CIOs and CISOs can take to foster greater alignment with other C-level executives, including –
- Designing a cybersecurity program that directly supports business operations. Research has found that cybersecurity programs tend to be technically focused with little consideration of business priorities. By consulting with department heads to identify their objectives and technology requirements, CISOs can ensure that cybersecurity programs are aligned to security needs that directly impact the business. For instance, as more organizations embrace cloud-native applications for remote working, CISOs should intently prioritize these areas when crafting and implementing a cybersecurity program. In the long run, CISOs will be able to better communicate with other C-level executives about the role of cybersecurity in the business.
- Actively participating in business planning and strategy discussions. The benefits of this, and generally engaging in frequent discussions with other C-level executives, are twofold – business executives get more cybersecurity exposure; and CISOs and CIOs get more business input to shape cybersecurity programs and objectives.
How could cybersecurity leaders best demonstrate the importance of managing cyber risks to the overall performance of the business?
Nilesh: As cybersecurity and business performance become inexorably linked, it is not only important for business leaders to be more cyber-engaged – cybersecurity leaders must also embrace a business mindset. By assigning cybersecurity personnel to each business unit, security teams can get deeper business insights, while simultaneously helping to drive security decisions at a more granular level. Business executives know little about the ROI of security technologies. By actively involving themselves in various aspects of the business, cybersecurity leaders will be poised to demonstrate the business value of addressing cyber risks.
Grounded on a business mindset, here are two ways in which cybersecurity leaders can elevate the importance of cyber-risks in the boardroom:
- Reframe the way security investments and priorities are discussed in the boardroom. When talking to the board, business executives will be more interested in hearing how security is benefiting the business – not just how CISOs will need more money for security investments. Take the example of investing in the cloud for enhanced security. Instead of shaping the conversation around cost and spending, CISOs can pivot the focus on how the cloud can deliver greater value to the business, beyond security – such as speed, agility, and flexibility, among others. This helps to put security decisions into the wider business context.
- Define metrics for success and use these to show how security decisions are impacting the company. For example, if CISOs present a map of security data that illustrates thousands of attacks experienced by the organization, the board will likely be unimpressed. However, by showing how attacks have significantly reduced with new security tools that provide extended visibility and defence, business executives may be more receptive to the data and are better-informed of security decisions.
As technology further dominates the business landscape, how would organizations ensure that they are appropriately investing in cybersecurity?
Nilesh: For any organization, it is important for cybersecurity investments to be all-encompassing, from robust monitoring to having the right tools to secure the business. Firstly, organizations should engage a partner to monitor security operations 24/7 and implement red teaming. This helps the organization to stay attuned to threats and trends, allowing them to adjust investments accordingly.
As technology further dominates, CISOs and CIOs may be overwhelmed by the breadth of cybersecurity solutions available and whether new investments need to be made to secure the organization. This is where having the right cybersecurity partner can play a pivotal role. Cybersecurity partners that design and continuously invest in the latest technology to detect and respond to threats will ensure that an organization’s investments are relevant and adequately protected for years to come.