Light Dark
September 22, 2021 By Sue Poremba 2 min read
Zero Trust
CISO

As the workforce moved from the cubicle desk to the dining room table in 2020, cybersecurity suddenly became everyone’s concern. Focus turned to the chief information security officer (CISO). It’s their job to keep businesses running and secure. In many companies, that also meant juggling a move to a full digital transformation with effective remote cybersecurity.

The CISO is a relatively new arrival to the C-Suite. It’s also one that is still finding its place among more established leadership positions. As organizations continue to use a remote or hybrid workforce, the CISO’s role at the executive’s table will be needed. But to empower them to defend against cyberattacks, the working relationship between the CISO and other members of the C-suite need to shift.

The Shared Language of CISO and CEO

“The CISO is a key organization protector and holds the entire weight of the organization’s data security in their hands,” Sean McDermott wrote for Forbes.

Because they’re such a keystone, best defense practices are key to steady business operations. And the only way the CISO can do their job is to have the full support of the CEO. Therefore, CEOs can no longer afford to ignore their digital defenses. It’s up to the CEO to make sure the CISO and the security team have the budget and resources — including the right tech and staffing — necessary to meet today’s challenges. It is also up to the CEO to make sure the CISO has the authority necessary to make decisions.

As McDermott pointed out, most CISOs act as the bridge between the business side and technical side. Therefore, they need to be able to speak the language of both sides. Meetings with the CEO should be conducted in clear, everyday language rather than in tech lingo. Spell out the impacts of a data breach or a compliance failure. Effective messaging is key here, and it should go in both directions.

Working With the CFO

While the CEO may be the one to approve budgets for each department, the CFO makes the decision on how those funds are given out. Getting the CFO to understand the need for security-related resources might be more difficult than the CEO.

Since CFOs like to see hard data, one approach is to create a security plan that reviews a past period (say 12-18 months). In that plan, the CISO can show the threats defended against and how they were defended against, as well as where attackers were aiming. With that information in hand, the CISO and CFO can create a plan for the upcoming fiscal year. Regular reviews might mean there are no surprises when the next budget requests come around.

The CISO and the CIO

The connection between the CIO and CISO has never been more vital than in 2020 and 2021. It was the CIO’s duty to make sure the workforce had the digital tools needed for their remote offices, while the CISO had to make sure those tools remained secure.

Many businesses and agencies turned to a zero trust strategy during remote work. For zero trust to be successful, it needs teamwork between the CIO and the CISO to set up the correct access and authorization for each ID within the network. In addition, both need to have firm knowledge of each device and platform requesting access.

Remote work is here to stay, in one form or another. The only way businesses keep running smoothly is for the CISO to work closely with C-suite partners.

 |  |  |  |  | 
Sue Poremba

More from Zero Trust
October 5, 2023

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

April 27, 2023

Zero trust data security: It’s time to make the shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

April 17, 2023

How zero trust changed the course of cybersecurity

4 min read - For decades, the IT industry relied on perimeter security to safeguard critical digital assets. Firewalls and other network-based tools monitored and validated network access. However, the shift towards digital transformation and hybrid cloud infrastructure has made these traditional security methods inadequate. Clearly, the perimeter no longer exists. Then the pandemic turned the gradual digital transition into a sudden scramble. This left many companies struggling to secure vast networks of remote employees accessing systems. Also, we’ve seen an explosion of apps,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature