In my last blog I talked about some of the impacts cyber security can have on an organisation, the emerging trends we are seeing at a board level and the lack of visibility today’s CISO’s are suffering from.
The CISO’s lack of visibility as described in my previous blog certainly helps to explain some of the interesting security investment trending we are seeing at present. Investments in solutions that can ‘solve’ the cyber challenge have been making waves recently. However, as we all know, no single solution can solve this challenge; it will always take a combination of people, process and technology to combat cyber threats. Emerging positive trends include buying preferences that enable more holistic analytics-driven threat monitoring to get a better handle on cross-domain security visibility. At the same time, incident response outsourcing provides scalable and rapid ‘surge capabilities’ to tackle the critical global shortage in cyber security resources (while handling cyber incidents when the worst happens).
But there are more cyber security issues that demand attention at the board level. While most organisations acknowledge that cyber security is no longer an IT issue, but a business problem, there is still confusion as to who is ultimately responsible for cyber security. Some believe the buck stops with the CFO, while others think cyber issues should be answered directly by the CEO. This lack of clarity muddies the water when seeking to make proactive plans for better cyber security.
Something we have come to learn is that, while cyber security is getting focus at the right levels now, the much discussed ‘gap’ between the board members and the information security leaders still exists. However, today we are seeing some interesting new approaches and great examples of CIOs and CISOs seizing the initiative once more to communicate with the board and inform them of both the cyber challenge and opportunity in front of them.
A key shift is the evolution of the CISO role, traditionally filled by individuals with a strong background in IT and security. Now a new breed of CISOs is emerging – influencers who come directly from business backgrounds – enabling enhanced business communication and relevancy across board members.
Also, new engagement styles are allowing the functions to connect more effectively than ever before. While the CISO still need to conduct the traditional security planning activities, such as security control gap analysis, threat and vulnerability analysis, audit and risk management, some CISOs are linking their most critical security initiatives to wider company business programs and projects – particularly if these help to promote product or company market differentiation. Other proactive initiatives are encouraging board members to cascade security goals to business leaders to encourage cross-organisational cyber security awareness. These approaches are helping to drive successful business-aligned security projects that are proving to have far greater company-wide relevance, adoption and success. Often, this requires a different engagement style from the CISO, a deeper business understanding and an investor’s insight.
As for Symantec, we are committed to helping board members and security leaders seize this heightened focus on cyber security to promote and enable secure digital enterprises, communities and transactions.
Our new analytics-driven strategies for advanced threat protection and cyber security services have been designed specifically to help CISOs be more able to answer those not so ‘simple’ questions posed by the board, while our unified security strategy will help stakeholders to go further to manage enterprise risk against industry-wide benchmarks and align business rationale against security investment choices.
We are really interested in your perspectives on this topic and also to share and learn. Feel free to comment or get in touch to continue the conversation.
