December 4, 2020

5 strategies for CISOs during a time of rapid business transformation

A survey of business leaders by PwC finds the pandemic is causing rapid changes in the roles CISOs play, and offers five tips for ensuring that security remains stable as we enter a new normal.

cxo.jpg

Image: iStock

A study of business leaders by PwC has found that the role of chief information security officers (CISOs) have grown considerably due to the COVID-19 pandemic, with 40% saying they’re now having to fill both an operational role and the role of a digital transformation leader.

SEE: Return to work: What the new normal will look like post-pandemic (free PDF) (TechRepublic)

One of the major reasons CISOs are being pushed so hard could be because PwC found 40% of businesses have sped up digital transformation efforts due to pandemic shutdowns, with many having already advanced to year two or three of their five-year transformation plans.

All of these changes call for new modes of leadership and a complete transformation of organizational cybersecurity models, PwC argues, and it uses its survey’s findings to provide five moves CISOs should take to be sure cybersecurity keeps up with the evolution of the enterprise.

1. New strategies, and new modes of security leadership, are needed

Ninety-six percent of respondents said they’re adjusting their cybersecurity plans due to COVID-19, and the biggest evolution in security strategies seems to be baking security and privacy into every business decision.

Other security strategies that CISOs said they’re considering are new processes for budgeting, more granular quantification of risks, increasing interactions between CISOs and CEOs/boards, and increasing resilience testing for low-likelihood, but high-impact, events.

SEE: 3 ways criminals use artificial intelligence in cybersecurity attacks (TechRepublic)

As mentioned above, CISOs are being forced to adapt to fill multiple roles due to rapid COVID-19-related changes, and while that puts pressure on CISOs now, PwC said it’s essential for the role to change to fit a new model of security: One of digital trust.

“It’s a critical juncture for cybersecurity and CISOs,” the report said, adding that the current reset of the CISO role “determines whether CISOs may grow to become stewards of digital trust, able to lead their organizations securely into the new era with strategies to protect business value and to create it.”

2. Security budgets need to be rethought in order to be effective

Fifty-five percent of businesses said their cybersecurity budgets will increase in 2021, despite the fact that 64% said they expect revenues to decline in the coming year. 

Budgets may be increasing for half of organizations, but 55% of respondents also believe that security budgets and spending aren’t properly aligned to the areas of most significant risk, and cite a general lack of confidence in the security budgeting process.

SEE: Phishing attack spoofs IRS COVID-19 relief to steal personal data (TechRepublic)

Increasing confidence, PwC said, requires putting a dollar amount on cyber risks. “The economics of cybersecurity has long focused on the cost side (compliance, updating capabilities, and so on). This must change,” the report said.

Costs should instead be considered as part of the overall business budget “in a strategic, risk-aligned, and data-driven way.” Evaluate the costs of security projects, the costs of compliance, the costs of risk reduction, and the value of cybersecurity investments in order to build a prioritized list of what needs to be done first in order to meet business objectives. 

“This kind of rigor and sophistication will be increasingly demanded—especially as the markets and regulators hold CEOs and board members more accountable for cybersecurity and privacy,” the report said.

3. Do everything possible to level the playing field against attackers

Investing in cybersecurity innovation is essential, PwC said. Zero trust architecture, real-time threat intelligence, endpoint solutions, and other tools have all grown in recent years, and getting in on the ground floor with new security products can be the key to closing the gap between rapidly-evolving cyberthreats and security. 

SEE: Cybersecurity Awareness Month: Train employees to be first line of defense (Tech Republic)

The next major evolution in security will be cloud products, the report found, with 76% of respondents saying they’ve already moved their security operations to the cloud. Cloud products, PwC said, are dynamic, nimble, and are secure by design, while in-house legacy systems are static and insecure in their default state. 

“CISOs who transition their organization to the cloud are able to build-in hygiene mechanisms from the beginning—in automated ways. They’re also able to eliminate friction from the system and simplify service delivery to their customers,” the report said.

4. Account for every possible scenario

Resiliency plans need to account for everything, PwC said, from highly likely, low-impact attacks to unlikely but devastating ones. 

The report recommends drawing up a likelihood-impact grid (axes from low to high likelihood, and low to high impact) and using that to allocate your efforts and budget. Don’t ignore lower risk attacks, but plan according to the threats most devastating to your industry and company. 

SEE: Report: Despite more cyberthreats during COVID-19, most businesses are confident about cybersecurity (TechRepublic)

“More than three-quarters of executives in our Global DTI 2021 survey say that ‘assessments and testing, done right, can help them target their cybersecurity investments,'” the report said.

5. Build security teams with the future in mind

Fifty-one percent of respondents said they plan to increase the size of their cybersecurity teams in the next year, to which PwC said it’s essential to hire for 21st-century skills. 

The most sought-after traits that respondents cited were analytics skills, communication skills, critical thinking, and creativity: “Shaping the future of cybersecurity — one that is in step with the business — means hiring the people who are ready to work collaboratively with others to tackle new, as-yet-undiscovered problems and analyze information,” the report said.

Hiring from within by training existing employees should be considered as well, and the report also found that managed security services providers can be a good solution when talent is hard to find as well, with 90% of respondents saying they use or plan to use managed service providers in the future.

Also see

Source Article