COMMENTARY
Although cybersecurity is the core of their role, chief information security officers (CISOs) must also be business leaders. They support business objectives and goals by providing the most secure environment for their company, making security a part of every process and not just an afterthought. As more and more prospective and existing customers are asking for documentation related to internal security practices, CISOs’ efforts are either contributing to or hurting business goals.
However, limited cybersecurity understanding across a business can obstruct how effectively a CISO facilitates securing their organization, requiring a specialized approach to get other business leaders on board with a plan that aligns security with business goals. To overcome this hurdle and create value for their organization, CISOs must stay focused on growth and innovation while ensuring cybersecurity initiatives benefit the business.
Keeping Pace With the Threat Landscape vs. Benefiting the Business
CISOs must adapt to a changing attack landscape as threats continue to evolve. For example, as we’re seeing across US critical infrastructure, nation-state groups are spending more time lying dormant with deep access on the network and gathering reconnaissance rather than “going in loud,” such as exploiting encrypted files or sending ransom messages immediately after gaining access to a company’s network. CISOs must ensure threat hunting procedures are thorough and account for both active and dormant activity. In addition, the advancement of AI will likely make attacks harder to detect, as threat actors leverage autonomous tools with targeted exploit and payload capabilities/features to facilitate more successful attacks.
An agile approach to security means leaning into processes that allow for swift response and organizational alignment while integrating security measures with minimal to no impact on operations. To get there, CISOs must determine the essentials required to maintain and bolster cybersecurity — such as monitoring tools and better cyber-hygiene practices — while ensuring their proactive impact outweighs any negative impacts.
CISOs Can’t Do Security Alone — They’re Part of the Innovation Core and Need C-suite Buy-in
We all know that cybersecurity is a team effort. To paraphrase General Stanley McChrystal, it takes a network of defenders to defeat a network of attackers. The “good guys” must always come out on top; however, that can happen only when there’s organizational synergy and a shared vision. Staying ahead of future risks means achieving an agile cybersecurity infrastructure and defense. However, that can’t happen without buy-in from the entire organization — from the C-suite and board, all the way down the chain of command.
Shared knowledge across the business is essential. Recent research found that executive and board-level involvement in cyber-risk governance is lowest in the US, compared to the global average (51% of companies surveyed versus 59%, respectively). Considering how threats will worsen in the years to come, everyone involved in the business must understand the importance of cybersecurity.
For CISOs, developing a successful approach means collectively identifying the “what” and “why” of business objectives through regular meetings with the C-suite and board. CISOs must also explain the “what” and “why” of cybersecurity projects, processes, and procedures. This helps develop better security and defense priorities that align with goals for the business and individual departments.
Making innovation part of the CISO approach can help redefine the organization’s culture, instilling the notion that cyber-risk is a business risk. Everything from downtime to financial losses to stolen IP are considerable risks without the proper security measures. CISOs must foster a culture of innovation to effectively contribute to organizational goals.
How CISOs Should Design an Approach Unique to the Business
At its core, the approach should consider business objectives first, then lay the groundwork for cybersecurity objectives. It is crucial that it occurs before a cyber incident happens. A successful approach ensures that everyone across the organization understands the security efforts happening, the protocols when an incident occurs, and how decision-making is designed with the overall business in mind. It will also outline all procedures in one place to verify proper coverage in all areas, including designating specific roles and responsibilities ahead of a threat.
Having insight of and securing the attack surface is essential. Since you can’t protect what you can’t see, understanding the attack landscape improves awareness and helps ensure responders can patch and mitigate without disrupting operations. To be truly effective, modern tools and procedures must emphasize speed, which requires the shift from legacy systems toward consolidated platforms. For example, network detection and response (NDR) is foundational, as it tracks everything across the network and catches threats that perimeter controls may miss. Network detection capabilities also help detect any anomalous behaviors stemming from flaws in employees’ cyber hygiene that could unintentionally create an insider threat.
Next is compliance. While compliance alone doesn’t keep threat actors out, it’s all about moving beyond compliance to commitment. The approach should incorporate all security processes through frameworks like NIST Cybersecurity Framework (CSF) or FedRAMP for organizations working with the US government. Additionally, mapping new and evolving requirements can help identify tools that allow for further development.
Finally, CISOs are finding red teaming and attack simulations increasingly valuable. Simulation plans help give the executive team an idea of what dealing with a cyber-related situation looks like and how long investigations take, while also providing the mechanism to exercise incident response and other pertinent plans. When designed and developed based on organizational goals, simulations also help clarify roles and responsibilities, chains of decision-making, and lines of communication.
Building a Culture Where Growth and Security Coexist
CISOs are a crucial part in the overall success of the business; while they have the ability to be enablers, they are most effective when integrated into business decisions. If you’re not integrated, you’re likely not as secure or effective as you need to be.
Aligning cybersecurity objectives with business goals makes a successful CISO, but creating this sentiment across business leadership creates a culture of commitment within organizations and greatly contributes to achieving business goals.
