For organizations today, staying competitive means undergoing rapid digital transformation, yet few appear to have a solid approach for handling the security and privacy implications of such a change. However, ensuring organizations adapt while also retaining a high level of digital trust is exactly where the chief information security officer (CISO) can help. CISOs are adept at reviewing the security of digital crown jewels — sensitive, business-critical data — aligning security to business goals, and ensuring that disruptive technologies such as artificial intelligence (AI), internet of things (IoT) devices and augmented reality are adopted with adequate security and privacy controls.
Conveniently, there are resources to guide CISOs on how to engage on these issues. One such resource is PwC’s “Digital Trust Insights” report, which replaces their long-running Global State of Information Security Survey (GSISS) series with a broader view of cyber risks awaiting the cognitive enterprise. The report — which is based on a survey of 3,000 executives and only about a dozen pages — provides advice for CISOs, boards and business executives to rally around key issues of digital trust as they work to build a reasonably secure digital world.
Get Security Involved Early On
It will come as no surprise to anyone in cybersecurity that the best way to avoid costly and awkward security fixes — or worse, an embarrassing and damaging breach — is to bring in the security function early on in a project. The stakes are even higher for digital transformation projects. While 91 percent of companies executing transformations bring in security and privacy as stakeholders, only 53 percent are proactively managing security and privacy risks “fully from the start.” This varies somewhat by sector, and as expected, the financial services sector is in the lead with 66 percent engaging security and privacy from the start, followed by the healthcare sector (65 percent). The consumer markets sector comes in last, at 49 percent.
Bringing in stakeholders from cybersecurity and privacy from the very beginning of transformation initiatives is key. As the report noted, “Most respondents say emerging technologies are critical for business, but fewer are very confident they have sufficient ‘digital trust’ controls in place.” This is reflected in the survey results with 4 out of 5 organizations reporting that the IoT is critical to at least some parts of their business, yet only 39 percent are “very comfortable” with the digital trust controls deploying alongside their IoT adoption.
Early involvement of the security function will also improve alignment of security efforts with the business, a concern that was raised in the report as few organizations regularly assess that their security controls, frameworks and strategies are still appropriate in light of the digitization of the enterprise and the changing privacy landscape.
Review Security Talent and Workforce Awareness
In most organizations, the security function is already stretched thin and thus not in a position to handle the many new challenges posed by an organization undergoing rapid digital transformation. When the CISO is spending most of his or her time fighting fires or pleading for budget and support, there is little time left to review high-level security strategy, ensure appropriate privacy controls around sensitive data, and adequately communicate enterprisewide security issues to top leadership and the board. Another concern is the low number of organizations that report having a security awareness program (34 percent), and even fewer require training on privacy policies and practices (31 percent).
The way forward is to perform a workforce gap assessment specifically for the cybersecurity and privacy functions, and to commit to filling key roles in security and privacy with the required level of talent. In addition, organizations should review and update — or implement if absent — policies about their IT assets and sensitive data. Security awareness campaigns should be conducted regularly, but avoid the one-size-fits-all web-based approach. Instead, look for or create engaging security awareness materials and evaluate the effectiveness of each campaign. As attackers are continuously refining their tactics, so should you with your security awareness activities.
Improve Communications and Engagement With the Board
As years go by, we get further validation that an increasing number of CISOs are providing the board with updates about cyber risks. Findings from the PwC report echo this progression, with 80 percent of organizations stating their board was provided a risk management strategy. However, only 27 percent of organizations report being “very comfortable” that the board is getting adequate metrics on cyber risk management. Instead, a greater number, 29 percent, report being “uncomfortable” with the adequacy of information reported.
Changing the nature of the engagement between the CISO and the C-suite will take time. But the change needs to get under way, starting with communicating how threats, regulations and third-party risks impact the organization’s cyber risks. CISOs should focus on producing metrics that track the risks to business objectives and how security activities are having a measurable impact to bring those risks down to an acceptable level. Greater emphasis should be placed on the nature and quality of interactions between the CISO and the decision-makers rather than having the CISO deliver a quarterly five-minute broadcast about the organization’s security posture.
Instead, CISOs should spend a little more time learning about their audience, what drives each line of business and their particular concerns, provide materials to prime questions ahead of time, and actively invest in their relationship with the rest of the C-suite and business directors.
Test Cyber Resilience and Improve Strategies
While awareness, engagement and being there from the start are important, the only way to know for sure that the organization is prepared to deal with a data disruption or full-blown cyberattack is to put its cyber defenses to the test. Testing the cyber resilience of the organization can take many forms, depending on the level of the staff or the executives involved. The PwC report found that fewer than half of mid-to-large organizations are “very comfortable” that they have adequately tested their cyber resilience.
Once again, the CISO can and should play a key role on this issue, but doesn’t have to start from an empty slate. Several key organizations have produced reports on cyber resilience, some written specifically for the C-suite and the board, while others were written with chief information officers (CIOs) and CISOs specifically in mind.
Among the many resilience reports available are those from IBM Security and Ponemon Institute, the World Economic Forum (WEF) and the U.S. Department of Homeland Security (DHS). The latter defines resilience in cyberspace as the “ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.” Organizations should evaluate their ability to adapt to changing conditions and threats, including adapting organizational strategies; prepare for (including anticipating and planning ahead of disruptions); withstand (an area that should be tested more regularly than during the yearly pen test); and recover from an adverse event.
The CISO Is Key to Successful Digital Transformation
“Companies that show the connected world how to lead in safety, security, reliability, privacy, and data ethics will be the titans of tomorrow.” — PwC “Digital Trust Insights” report
Becoming a cognitive enterprise will require major changes, changes that can shake the foundation of trust in the organization’s customers and partners. Organizations will need to balance digital innovation with cyber resilience by ensuring early engagement of the security function in major projects and seeking whole-enterprise visibility and awareness of digital risks. The CISO is key to the organization maintaining a high level of digital trust in such transformative times.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato