[ad_1]
Information Security Officers (RSSIs) have now replaced news managers as the most underrated managers. In fact, according to research from the Enterprise Strategy Group (ESG) and the Information Systems Security Association (AISS), nearly a third (29%) of companies still have no role of RSSI or its equivalent. And for those with such a role, the CISO is often relegated to glorified administrator status, rather than as a strategic facilitator.
This is why RSSIs are almost always sent back or "resigned" after major data breaches. When shareholders and clients demand blood as a result of a violation, the CISO is the sacrificial lamb, even though there is no realistic way to prevent the violation in the operating conditions (which can include insufficient budget, staffing and market visibility). This is often a self-destructive act, as the CISO is usually the most qualified person to handle judicial audits, cleanup and post-violation compliance.
In many ways, the fate of today's CISO resembles that of the CIOs of the 1990s. At the time, the CIO stereotype among business leaders was "the crawling guy under the desk that connected the cables. ". And, like the CIO today, the CIO was only noticed when things went wrong. Today, CIOs have taken their rightful place in the conference room as digital business has become a key part of the business strategy for all sectors. According to an IDC survey, by the end of 2017, two-thirds of Global 2000 executives had placed digital transformation at the center of their business strategy. (As Patrick Doyle, CEO of Domino's Pizza puts it, "We are a technology company that sells pizzas.")
However, businesses have been slow to embrace security as a catalyst for this digital transformation. Of the firms that play a CISO role, only 44% of respondents in the ESG / ISSA survey indicated that their CISOs had sufficient interaction with executives and boards of directors. As a result, RSSIs today often express the same complaint as IT managers in the 1990s: "I can not get a seat on the board of directors."
Cybersecurity remains a secondary risk
Surprisingly, cybersecurity is often not a top priority in business risk management. Several factors are at the origin of this phenomenon, including:
- Since many organizations have not yet defined overall responsibility for governance, risk and compliance, cybersecurity operates autonomously, with leaders often unaware of potential risks until a problem arises. (eg, a data breach).
- The financial risk of cybersecurity has never been greater than traditional forms of risk, such as lawsuits, supply chain disruptions, competition concerns, etc., so executives do not have brought cybersecurity to an appropriate level. This is becoming increasingly dangerous as very strict regulations, such as the GDPR, are enforced and cybercriminals become more and more insidious with ransomware and other attacks that can seriously disrupt the Internet. ;activity.
- The requirements of the company often exceed the requirements of security. Businesses are therefore moving ahead with digital transformation initiatives without being subject to appropriate security controls. This has significantly broadened the "attack surface" of companies as they embrace new computing paradigms, such as cloud and mobile, without adopting appropriate security measures.
These problems have given security a bad name – they are "the guys who always say no" to new digital enterprise projects. Thus, many business leaders do not think they invite CISOs into strategic discussions or deliberately avoid doing so to avoid security barriers. new initiatives.
This dynamic exposes many companies to potentially devastating consequences. And in the era of PMPs, California's Consumer Privacy Act, and next-generation ransomware and denial of service attacks, a company's ability to provide security also becomes a matter of survival.
In summary, many RSSIs exist today in environments where they are not understood by leaders and are therefore included in business initiatives only when it is too late. Security vulnerabilities expose the company to cyber attacks and breaches of compliance. All of this is happening in the midst of a global cybersecurity skill shortage that has left staff overworked and focused on mundane "guardian" activities, rather than more strategic activities that can move the business forward (such as securing the next digital transformation initiative). And to top it off, CISOs remain the most practical scapegoat when bad things happen, so that data breaches weigh on their heads, like a sword of Damocles putting an end to a career.
It's time to take a walk
What's a CISO to do? Simple – get up and go for a walk (literally, not figuratively).
CISOs should follow the management technique developed by Bill Hewlett and Dave Packard in the late 1950s: management by walking. They must make sure to get out of their security bubble and walk around the business to talk to businessmen about their latest initiatives and goals.
This is the most common tip I give to CISOs – because "bubble trapping" is the most common illness I see. Walking around and talking to business people not only provides CISOs with valuable information that should be incorporated into the security strategy; this also gives them the opportunity to educate business leaders that they are not roadblocks or "necessary evils" and that they can instead significantly improve the chances of success long-term business initiatives. They can educate everyone – from product managers to CEOs, to the board of directors – that digital transformation is not the ultimate goal of the company. the secure digital transformation is.
Walking around will also be a valuable lesson in clear English. Many CISOs struggle to communicate their value to business leaders, simply because they do not have the ability to express their operations in a meaningful way for them. Telling the CFO that you have successfully thwarted 2,345 attempts to intrude on the network means nothing in commercial terms. Tell the CFO that your data security project will protect the company from GDPR code violations of up to 4% of the annual business turnover, which means a lot.
To create a more sustainable and rewarding career path, CISOs need to make the same transition that CIOs made at the turn of the century: from a techno-geek to a businessman who is also a expert in technology ". This is why the best performing RSSIs have an MBA. According to a report published by Forrester Research in 2018, 43% of the Fortune 500 CISOs have a higher degree and approximately half of them are MBAs. The leading RSSIs know that they must above all be businessmen, before technical experts.
This transition will not occur in an organic way. CISOs must do it. Organizations that do not include RSSI in trade discussions are not going to suddenly "see the light" and unveil the red carpet at the next board meeting. CISOs must instead become known as professionals who understand the business and can reduce the risks badociated with next-generation digital initiatives. Getting a higher degree in commerce will definitely help in this endeavor. But degree or not degree, the most effective way to change the conversation about security is simple: let go and walk around.
Joseph Schorr is global director of executive services at Optiv Security based in Denver. He works with CISOs of large companies to solve their most important security problems.
Source link
