THANK YOU FOR SUBSCRIBING
Information Security has been in the spotlight over the last few years, but 2020 has been a year where, as a result of the COVID-19 crisis, security practices have been part of many conversations at all levels. This is good in and of itself, as it creates awareness. But on the other hand, all this buzz creates noise and confusion. Leading Information Security entails new or additional challenges that are even magnified by the presence that Information Security is having on the Board of Directors’ agendas.
Challenges evolve over time, particularly in such a changing scenario as we are in, but here are some thoughts I would throw on the table:
Maintaining a holistic approach, keeping the full picture of Information Security risks to a business is crucial. However, day-to-day discussions tend to draw attention to very discrete topics (perhaps simply because they are the ones that a certain technical team or a Management audience understands better), running the risk of distracting resources from those topics that are most concerning for the business.
Risk-based decision-making: especially when discussions become technical or technology-centred, a strong leadership should ensure that decision-making is always practical and risk-based.
Far from being a stable and fix role, Information Security is constantly evolving, changing and, in many organisations, growing
The trending topics like OT Security, IoT, Digital Transformation, Data & Analytics, are filling up Top Management inboxes with buzzwords. Especially the overuse of social media for commercial purposes is pumping all these words into the conversations, which are then used in some cases without really knowing what they actually mean, or how relevant they are for each specific business.
Digital Transformation and the implementation of technological solutions may drive risks out of ITs control, with no visibility to Information Security or Privacy professionals. This creates the need for proper identification and management of risks and opportunities.What is the Added Role of the CISO?
There’s a ‘classical’ CISO role, which is of course about leading the Security function in the company, with the ultimate purpose of protecting the business. This is about being close to the business, understanding the risks, making risks understood (which is different), and managing risks so that they are mitigated down to acceptable levels. This is ‘classical’, accepted and not in question.
To this ‘classical’ role of the CISO, however, given the challenges mentioned above, I would add some key points:
Clarifying, explaining, removing all the confusion around Cyber-Security, particularly for Top Management, in order to provide a crystal-clear position on (a) where we stand in terms of risk, (b) what should our priorities be at the moment, (c) what should be the long-term aspiration.
Creating confidence. This is tricky, as you have to demonstrate a good understanding of what is going on, a good grasp on identifying those things (amongst all the noise, haze, confusion) that are actually relevant to the business, and finally accuracy in pointing out what the priorities should be.
Execution. Drawing plans can be the easy part. Plan execution, as in many other business disciplines beyond IT and Information Security, is a challenge that requires experience, common sense and soft skills such as people management, apart from the technical stuff.
Far from being a stable and fix role, Information Security is constantly evolving, changing and, in many organisations, growing. Leading and managing this evolution in accordance with the context of the organisation is part of its role, that is, accompanying the Senior Management in shaping the right role in the organisation, in its context. Information Security is more and more as much related to functions like Human Resources, Corporate or Physical Security, Privacy and Compliance, and many others, as it is with IT.
Information Security is increasingly regarded as a business sustainability lever, and therefore, the organisation practices in terms of Information Security, and how the function is integrated into the governance of the organisation, is to receive more attention.
What does Information Security have to do with business sustainability? The link is clear: you know all business risks are measured in terms of likelihood and business impact. When it comes to Information Security risks, the likelihood could be questioned, as it is in human nature to think that if nothing happened so far, it’s unlikely to happen tomorrow. As we all know, the trends of successful cyber-attacks are public. You choose either to believe them or not. But with regard to the second variable, business impact, the consequences are unquestionable: interruption of operations as a result of a massive ransomware infection, difficulty of recovering business normality due to the complete chaos after an incident or even technical constraints to recover systems and data, significant fines to regulatory agencies, leakage of trade secrets, damage to public image and reputation, etc. Who can afford to survive such a crisis? Many businesses cannot.
Therefore, the link between Information Security and business sustainability (also “business resiliency” as part of business sustainability) is clear. And as such, many organisations are starting to consider Information Security a key lever in the Environmental, Social and Governance discipline.
Far from having reached its peak, the Information Security function is being strengthened as independent and cross-functional that is required to interact with many business functions, and gains relevance in protecting the business today and in the long term, being a key lever for its sustainability.