To keep up with more rapidly changing business models, the speed of enterprise digital transformation and automation today, security leadership needs to, more than ever, ensure there is a tight coupling between security teams and business leadership.
Consider how rapidly enterprises are embracing IoT, data driven analysis, public and private clouds, virtualization of network services, and many other emerging technologies. All of this taken together is changing enterprise risk postures more than at any other time in IT. And it has changed the roles of the CSO in many enterprises from that of a technical position to that of managing the risk technology brings throughout the organization. It’s less about developing the technical aspects of the security program, and more about educating the board, senior leadership, and lines of business managers about the risks of new technology.
Interestingly, today, many enterprises believe that they have a solid cybersecurity plan, in fact according to the IBM Institute for Business Value survey of over 700 executives across 18 different industries in 28 different countries: Securing the C-Suite: Cybersecurity perspectives from the boardroom and C-suite, c-level execs are overconfident in the state of their security programs. According to those surveyed, 65 percent of c-level executives reported that their cybersecurity plans are “well established.” But when that number was delved into more deeply, it turned out only 17 percent of those surveyed could meet such a standard. According to the authors of the study, that includes being able to understand the nature cybersecurity risks, the ability to collaborate, educate, and enable a governance program, and also be able to manage risk with vigilance and speed.
And no matter how tempting it may be, there’s no way simply throwing technology at the various challenges will help. Never by itself. CSOs need to roll up their sleeves and engage with business leaders to understand the technology that is being deployed, the data it will be using, and determine the risks involved — and then educate the executives about how such technologies change risk and provide the best options for mitigating that risk.
An example of this is a topic we have been writing about considerably lately, and that’s the impact of the software-defined data center and the virtualization of network functions. The software-defined and highly-virtualized data center change considerably how networks are deployed, managed, and secured, which we covered in some depth here and here. But they also help improve many aspects of securing the data center, such as providing more centralized control and view of the environment. The CSO today needs to look at the totality of these conditions, understand how it applies to their industry and specific organization, and advise accordingly.
This needs to be done in more ways at once than I ever recall – DevOps and continuous integration deployment efforts, new deployment methodologies, increasing shadow IT, new cloud deployments, software defined data centers, IoT, big data efforts, and the list goes on.
This means CSOs also need something that they never had before and that’s a comprehensive view of risk across their organization. They need to know where business-critical data is stored, how it’s access and managed, and how to mitigate risks to that data.
While the CSO’s job is increasingly becoming less technical, it’s never been more important and there’s never been a greater opportunity to have more influence. While the CSO has the ear of the board and top executives it’s possible to help make great things happen for the business while also gaining the resources and backing necessary to make it happen in a way that reasonably manages threats. This is best achieved when all aspects of the business trust the CSO as a competent advisor on technology and risk.
Such skills have never been more important for enterprises as they face considerable technical, market, competitive, threat action, and regulatory compliance risk. But to stay on top, CSOs will have to continuously be on the lookout for disruptive risks, and review new technologies and the environment on a continuous basis. If not, then disruptive technology may end up disrupting the enterprise in entirely avoidable and foreseeable yet excruciatingly painful ways.
In fact, with 80 percent of executives believing that there is a less than 50 percent change of a significant breach occurring in the next few years (from the survey above), CSOs will need to do a lot more communicating on the nature of risk.