[BreachExchange] How CISOs Can Play a New Role in Defining the Future of Work

[Destry Winant]

https://www.darkreading.com/how-cisos-can-play-a-new-role-in-defining-the-future-of-work/a/d-id/1338716

Rather than just reacting to security issues in the COVID-19 era,
CISOs are now in a position to be change agents alongside their
C-suite peers.

When the COVID-19 pandemic began, every CISO across every industry
scrambled to get their teams up and running. When we left our physical
office space, we left our traditional security strategy behind with
it. The theme of remote security has stayed top of mind since March:
Cybersecurity experts correctly predicted that cybercrime in a virtual
workforce would be a central topic at the recent Black Hat conference,
and CISOs have had to rethink 2020 strategy with remote work leading
the way.

While the initial remote shift opened the floodgates for many
challenges, it also opened pathways to more longer-term strategic
opportunities for CISOs. Rather than behaving as "reactors" to
security issues and taking a back seat in leadership compared with
their C-suite peers, CISOs are now in a position to be change agents.
During these unprecedented times, they must pave the way toward
securely enabling the future of work and digital experiences and
thinking through every potential future threat scenario.

CISOs have been waiting to prove their worth — and now is the perfect
time to do so. Here are four ways they can successfully lead with
change and act as more strategic C-level partners.

Carve Out More Time with C-Suite Stakeholders
CISOs and CSOs typically come from a technology background, like me —
they usually have a computer science, engineering, or security degree,
where there is little emphasis on topics like leading organizational
change. The COVID-19 pandemic has introduced roadblocks nobody has
ever encountered before, and the CISO has had to weigh in regularly on
the security side as broader organizational decisions are discussed.
The past few months have challenged CISOs with every type of
experience and background to join in the executive ranks and
collaborate more with C-suite decision-makers.

For me, this has meant carving out time for more frequent meetings
with executives I'd typically only meet with on strategy every couple
of weeks. I'm spending more time with my engineering and IT leaders to
securely enable our workforce, and I'm also spending more time with
our CEO to discuss cyber-risks as they evolve with COVID-19 —
specifically, what that means not just for ourselves but also our
customers. When I first started a few months ago, I met with him every
day for one hour to talk to him about what we should be prioritizing
on the security front. Our time was spent discussing the immediate
needs and actions that we needed to take as a company, but
importantly, we spent a great deal of our time dedicated to looking at
how we can leverage our shared experiences to better protect and
enable our customers in an ever-increasing threat environment.

Shift Focus from Your Team to the Company as a Whole
While a CISO's day-to-day role before the pandemic might have been
centered primarily on initiatives tied to his or her own team, now,
every CISO has to broaden and get involved in every team across the
organization. A CISO's vision is always to create a culture of
security across the organization, and over the past few months,
working with customer-facing and other critical frontline teams on
specific security measures has surfaced as an undeniably critical
priority.

Depending on the size and nature of your company, this might mean
taking time to learn about new roles and getting more deeply ingrained
in other team's responsibilities to understand how CISOs can play a
bigger part. I myself am spending time working with a number of teams
outside of security from customer service to sales and the field to
support how we deliver services for a remote work world. As this
environment continues to change and remote work becomes permanent,
collective action and cross-collaboration must happen to instill
security across the entire organization.

Balance Remote Work Vulnerabilities with Transformational Change
The hardest challenge for many CISOs right now is balancing the influx
of remote work threats with the need to focus on long-term strategic
goals. With remote workers using more tools, apps, and technologies
than ever before, we've had to ensure security remains at the
forefront and that our employees take time to slow down and consider
the security implications of every new technology deployed. At the
same time, CISOs need to stay one step ahead and consider how they can
play a leading role in changing frontline technology services that
facilitate improvements to both workers and customers.

No matter how many urgent remote work vulnerabilities arise, CISOs
must maintain a focus on what comes next. I'm juggling new inbound and
quick-turn needs that arise every day but also collaborating with the
executive team on our plan for dynamic work and how we'll design, run,
and secure our offices of the future. There has never been a better —
or more crucial — time for security leaders to have a seat at the
decision-making table.

Look to Hire Globally and Expand the Team
CISOs can also make a more strategic impact when it comes to
intentional hiring during this time. As we start to break down
preconceptions about the effectiveness of working remotely, we'll
start to see a movement toward hiring in any location and seeking out
candidates with a much broader, more diverse set of experiences and
skill sets.

According to the Cybersecurity Workforce Gap report, by 2022, the
global cybersecurity workforce shortage is projected to reach more
than 1.8 million unfilled positions. By pushing their organizations to
consider a new global, remote pool of talent, CISOs can confront this
security skills and talent shortage while further closing the
diversity gap in the cybersecurity industry overall.

While CISOs faced many barriers to overcome in early March during the
shift to fully remote work, they've also encountered many
opportunities to more strategically collaborate and think about
long-term security success. I like to visualize the notion of keeping
a hand in strategy with a foot firmly planted on the ground. For me,
this means I'm heavily engaged in a dialog with my executive team and
leading from the top while also remaining deeply connected with what
is happening day in and day out with my own team. Getting that balance
right is one of the biggest challenges security leaders face as we
deal with the implications of COVID-19. CISOs have a new opportunity
to lead with change — not chase it — and fundamentally shift the way
in which companies secure their operations and deliver fully digital
experiences.