The business
landscape for the foreseeable future can be characterised by a few critical
terms: digital, distributed, sustainable.
As every
business becomes, in effect, a digital business, reliance on data and its
transformation into intelligence is becoming ever more important. Within this,
the drive for sustainability and net-zero operation, is further driving the
need for instrumentation, data gathering and measurement.
The data
vital for operations, as well as sustainability commitments is coming from a
greater diversity and distribution of sources than ever before, adding to the
challenge and increasing risk.
Aligning
business and risk strategies, with cyber risk an increasing proportion, is now
seen as a critical approach for digital businesses.
What does
that mean for business organisation? What changes are necessary to put cyber
risk at the heart of business strategy?
One of the key measures
to make this quite fundamental change is for the CEO, and indeed the CIO, to
empower the CISO to develop cyber risk mitigation strategies that extend across
the entire enterprise. With a perspective that goes beyond securing systems,
processes, and data, the CISO must be enabled to develop strategies that
encompass the business strategies on which the organisation relies, and which
are being developed in transformation programmes.
Early
engagement of the CISO in business development and transformation efforts
ensures that risks are identified early, communicated and investigated
thoroughly, and consequently mitigated before they can become a threat.
With that
empowerment from the senior C Suite executives comes the responsibility for the
CISO to understand the business ambitions, and be able to clearly communicate
the cyber risk issues to business leaders. Only through a deep knowledge of the
business requirements and direction of development and transformation, can the
CISO identify and convey the risks, as well as the opportunities, in mitigating
them.
The ability to share
a common language for understanding risk is key to facilitating the next step
in aligning business and cyber strategy. It is incumbent upon the CISO to move
the conversation from security to risk mitigation. In today’s cyber risk
landscape, prevention is not the goal, mitigation and reduction must be the
focus. This critical shift in the conversation must be led by the CISO to allow
business leaders and C Suite executives to contribute to the distribution of
resources to mitigate risks appropriately, ensuring those resources are best
placed for the business strategy determined and the transformation initiatives.
In terms of practical
measures, many experts recommend establishing a cyber governance body,
comprised of business leaders, senior executives and key stakeholders to
develop a charter for key cyber risk management strategies. This charter
would have its own performance indicators, as well as powers to enforce the
strategies and initiatives agreed.
In line with
other areas of the business, agreed reporting standards can measure and
indicate progress and successes, adding further evidence of the efficacy of measures.
By the same token, executive oversight in cyber risk strategy and budget
planning is vital to ensure cyber risk investments are aligned to business
initiatives and transformation directions, enabling while protecting.
Many analysts and
observers have reported that the CISO is often C Suite adjacent, as opposed to
fully engaged, at a remove, and therefore disadvantage, from the central
planning and development of strategy. By bringing the CISO into the strategy
process fully, they can get a better understanding and insight into CxO
concerns and requirements. Each CxO and business leader has different
perspectives that must be understood and embraced. The example is often given
of an upcoming merger, where a CEO might be concerned primarily about
integration, whereas a CFO might be worried about unknown costs, and a COO
might be chiefly concerned about continuity of operations for both
organisations. A CISO must be able to understand and accommodate all
perspectives and communicate risk mitigation measures. However, that capability
can only be exercised when the CISO is fully engaged at not just the board
level, but whatever special groups are set up for digital transformation,
special operations or mergers and acquisitions.
CISOs can
develop risk registers, data profiles of similar organisations or, where
innovation is occurring, relevant adjacencies that will allow reasonable
extrapolation. These tools allow the CISO to properly represent risk, while
providing a means to develop and refine mitigation techniques with the business
leaders and key stakeholders.
In today’s cyber risk
landscape, the ability for cyber threat actors to harness tools such as cloud
platforms, automation, and artificial intelligence, as well as the increasing
professionalisation of cyber crime services, have meant the reach and impact of
cyber crime is more far reaching than ever before. In this context, as one
practitioner put it, a security threat is a business threat.
Empowering the CISO
while putting them at the heart of the business strategy process, will allow
them to understand business needs, from all perspectives. Through methods such
as establishing cyber governances groups, business leaders and stakeholders can
be provided with the level of engagement and communication necessary to
understand and resource risk alignment.
With
resources applied based on a real understanding and engagement of risk, across
the entire enterprise, organisations can be confident of mitigation for their
business goals and transformation ambitions.
