[BreachExchange] Changing the mindset of the CISO: From enforcer to enabler
Destry Winant
destry at riskbasedsecurity.com
Tue Feb 25 10:18:11 EST 2020
https://www.helpnetsecurity.com/2020/02/24/ciso-business/
With digital transformation investments expected to reach a staggering
$7.4 trillion before 2023, organizations realize that they must
disrupt their markets or risk being disrupted themselves. However,
with digital transformation comes a multitude of cybersecurity-related
challenges to overcome, and it’s up to the CISO to help businesses
navigate the associated risks.
CISO must aid the business
Security leaders can no longer adopt the role of enforcer, but rather
need to pivot to a new role: the enabler. CISOs today have the
opportunity to help enable the organization to grow by delivering a
digital experience that delights customers while mitigating digital
risk. This requires the CISO to advise the business about when and
where cyber risks could manifest. Security leaders must now be able to
transform their security practices in lockstep with all the other
changes wrought by business-wide digital transformation.
Today’s CISO needs to be able to provide advice to the business to
help it understand the risk landscape so that it can then make
informed decisions about which risks are tolerable and which ones to
avoid at all costs. In addition to providing this counsel, security
leaders must be able to implement the technology to mitigate risks and
protect the business as it continues on the path to digitally
transform.
As part of this change in mindset, security leadership needs to take
into account the impact of friction on the user experience as it can
“break or make” security initiatives. The CISO must now focus on
reducing unnecessary friction where appropriate in support of digital
transformation objectives.
How to reduce security friction
As a rule, security friction increases or decreases proportionally to
the severity of security restrictions put in place. The successful
CISO must collaborate with the business and find a way to balance the
appropriate controls for any given scenario in order to maximize
protection and minimize security friction.
To achieve this balance, the CISO needs to home in on these seven variables:
1. How much is at risk if no controls are in place?
2. How could controls interrupt revenue streams?
3. Could the aggravation of the control cost the company many customers?
4. Must the business stop using or restrict innovative business
processes or technology for the controls to work?
5. Will the level of friction from controls cause a revolt among users
that could hamper implementation or induce unsafe workarounds?
6. How much will controls slow down technology delivery or innovation?
7. Are there any other alternative controls that could offer
significantly less friction without compromising all of the risk
reduction benefits?
By reviewing this checklist, CISOs will be able to advise the business
of the different options available and, most critically, the path
forward to mitigate risk and minimize friction. Security leaders need
to outline the options available that will help reduce risk in the
context of the business operating environment.
The successful CISO in the digital era needs to help the business
understand all the different variables. To achieve this requires a
mindset shift from that of an enforcer to that of a collaborative and
flexible partner. Security teams need to recognize that they now
provide a valuable service to the business in the quest to mitigate
digital risk and minimize security friction.
Here are three examples of ways to achieve this balance in a
digital-first world.
Payment processing
Online and mobile transactions are increasingly becoming the lifeblood
of commerce for every type of organization, and digital transformation
spurs this on further. While fraud protection is essential,
transaction speed is tantamount.
Effective security teams are managing that through behavioral
indicators that increase security measures based on risky behavior.
That paired with compromised credential screening during
authentication can generally keep friction low for the average
transaction, while at the same time mitigating the risk of account
takeover and the corresponding associated financial costs and impact
on reputation.
Software supply chain
Software development teams increasingly depend upon third-party code
and open source libraries to quickly develop software. This underpins
the DevOps and Agile practices that fuel the rapid software delivery
necessary for digital transformation. But third-party code also
accelerates the introduction of new vulnerabilities into enterprise
software.
Rather than banning the use of the transformative practice of leaning
on third-party code, successful security teams are finding ways to
track and manage the use of these tools while making it easier for
developers to source them. Security leaders reduce friction here by
tailoring the controls to the development process rather than making
developers jump through multiple time-consuming security hoops.
Data sharing
Data sharing through cloud services and API connections between
applications is crucial to digital transformation efforts. So many
innovations today rest on complex digital ecosystems and integrations.
The most impactful frictionless security efforts are those that smooth
ease of access and integration. At the business user level, that means
allowing the use of common platforms such as Box, while increasingly
tying data access policies and visibility into data use to identities
and roles. At the application level, it means designing security
mechanisms and APIs that work seamlessly in an ecosystem and help
facilitate data controls. The security tools must work without
breaking integrations or degrading service levels.
Digital transformation is changing every aspect of how we operate,
including the role of the CISO. The successful CISO in the 2020s and
beyond needs to take a risk-based approach that consistently views
security reasoning through the lens of user experience, business
profitability, and viability.
More information about the BreachExchange
mailing list