[BreachExchange] For a CISO, cybersecurity begins with a business strategy – and everybody’s buy-in

[Destry Winant]

https://www.scmagazine.com/perspectives/for-a-ciso-cybersecurity-begins-with-a-business-strategy-and-everybodys-buy-in/

For cybersecurity leaders across the world, 2020 has been a lightning
rod of security challenges. Widespread public attention to the
COVID-19 pandemic and governmental policy responses have given
phishing and robocall scammers new attack opportunities. Meanwhile,
the rapid shift to remote work and school and acceleration of
ecommerce have forced many cybersecurity leaders to pivot toward
safeguarding our geographically-distributed organizations against a
growing number and type of threats. For many cybersecurity teams,
threat detection and response activities have become the standard
operating model in a resource-constrained organization facing
ever-growing threats.

As businesses look forward to 2021 and employees and consumers adjust
to the new normal, there’ a simple formula for a CISO wanting to break
the cycle of reactivity: Lean into the business. This means building
trust with leadership, getting comfortable communicating in the
boardroom and developing a thorough understanding of the overall
business strategy, its operations and the unique risks faced by
individual business units. Be at the table early with top stakeholders
with a vision, mission and a strategy for security that shows how an
investment in preventative security delivers value. And, be proactive
in managing risks and leading change.

Security touches processes, products, and customers

Simply put, business strategy revolves around making choices.
Businesses need to manage finite resources among competing
opportunities and demands. Choices about geographies, product
categories, customer segments and channels each drive choices about
cybersecurity strategy and programming. For example, the choice to
sell to the U.S. government entails specific security requirements and
regulatory obligations; the choice to leverage unique intellectual
property as a differentiator has its own cybersecurity needs for
protecting that IP. As a proactive partner to the business, a CISO can
map these choices to a security framework with defined goals and
operations focused on prevention and risk management.

CISOs can also ensure that cybersecurity gets built into every facet
of the business ecosystem, including systems, networks, products,
business processes and even people. By taking a security-by-design
approach and working with the stakeholders to proactively build
security in from day one (versus reactively bolting it on or
implementing quick fixes as changes arise), organizations can
capitalize on the benefits of digital transformation and reduce costs,
all while improving their security posture and resilience.

Added benefits to this approach are an improved customer experience
and brand strength. Customers and prospects have multiple interactions
with a company throughout their lifetime, via multiple channels.
Working closely with the relevant marketing and ops leads,
cybersecurity leaders should strive to create an omnichannel customer
experience that’s consistently secure. For every customer touchpoint,
CISOs need to ask several questions: How do we reduce the risk of
fraud or theft for both the company and the customer? For companies
with a public-facing retail or support workforce, what kind of
training will they need to ensure that every interaction a customer
has with the business is secure? Are existing high-friction controls
driving poor compliance or circumvention attempts? What education can
we offer to the customer to improve his or her own cyber hygiene and
reduce the risk?

Security is everybody’s responsibility

Security and risk management requires a team effort and everyone has
to buy-in. That’s why I believe in the power of reframing the issue in
a simplified, positive way for both technical and non-technical
employees.

Think of security in terms of personal health choices and routines.
Visit the dentist, update passwords. Get a vision test, check social
media privacy settings. Eat five fruits and vegetables a day, choose a
difficult-to-guess passphrase. Encourage employees to take care of
their “digital selves” like they do for their physical selves.

People might think of  “leading through change” as the business
catchphrase of the year for 2020, but it’s been an unprecedented,
eventful year that has challenged all of us to level-up in leadership.
CISOs face a new and growing set of risks for 2021 as offices remain
closed and customers adapt to new ways of working and living. As the
“risk expert” at the table, it’s the CISO’s responsibility to get out
in front of the risks and changes on the horizon. Get familiar with
them, experiment with different approaches and have a plan for when
they arise.