For enterprises around the world – and the CISOs, CIOs, CEOs and other corporate officers charged with cybersecurity and safeguarding their company’s assets – there are a number of key challenges this year that must be confronted. The challenge starts with winning the board of directors’ support for what I refer to as “a holistic strategy for managing cyber-risk.”
In a companion post about the top challenges enterprises faced in 2018, I discuss why framing cybersecurity in a business context is the key to winning the board’s enthusiastic endorsement for this holistic strategy. In this article, I focus on how to do this, as well as offering a few insights on addressing other important issues sure to arise in 2019: defusing the enterprise’s biggest cyber-threats, custom-tailoring a cybersecurity strategy that meets different business needs within the same organization, dealing with the ever-growing burden caused by government privacy regulations and coping with increasingly higher levels of turnover in the CISO position.
As previously discussed, 87% of board members and C-suite executives lack confidence in their organization’s level of preparedness against cybersecurity threats. However, in order to win the board’s support for a strategy that provides the necessary degree of cyber-resilience, CIOs and CISOs need to translate these strategic plans into a language the board more easily understands – frame cybersecurity threats and concerns in terms of the business risks that they represent.
A recent McKinsey article on cybersecurity puts it this way: “The holistic approach to managing cyber-risk proceeds from a top-management overview of the enterprise and its multilayered risk landscape.” To reinforce this, the article includes an effective diagram that shows how cyber-risk management involves all parts of the organization.
Defuse the Biggest Threats
The goal of a holistic strategy is to take the entire enterprise landscape into account, so the organization can focus cyber-resources on the most likely and most dangerous cyber-risk threats. Obviously, no enterprise has the resources to recognize, let alone address, every conceivable threat; most often, it only can place tight controls on the most critical assets. Since business priorities are fluid and the nature of cybersecurity attacks are constantly changing, the enterprise must strike a balance between building resilient defenses and achieving operational efficiencies.
A holistic approach begins by helping the board identify the most important cyber-risks the enterprise faces. Only then can it confidently allocate the resources needed to address and monitor those risks that exceed the organization’s risk appetite. To properly gauge and prioritize those risks, the board must be able to view the risks in business – as opposed to technical – terms.
Custom-Tailor a Cybersecurity Strategy
The latest developments in the manufacturing sector offer a prime example. Most manufacturers are in the process of transitioning their operations from a traditional waterfall environment to one that’s entirely digital – where from the moment a product is designed until the day it is produced, the product is never touched by human hands, and the entire production process is under digital control.
However, while hugely advantageous from a production and product innovation standpoint, this situation poses new and potentially catastrophic risks from a security standpoint. If the company’s network is breached and its product designs are accessed, the damage could be substantial. If the enterprise’s board understands the importance of this threat in business terms (that it’s potentially terminal for the product or even the entire organization) then it won’t hesitate to endorse the policies, procedures and practices needed to de-risk and protect those critical assets. In other words, and what I’m suggesting here, is that the way you enter into the conversation will determine the type of board decisions you get.
Manage Privacy Regulations and Compliance with New Approaches
Pursuing a holistic cyber de-risking strategy has the added advantage of making it much easier for an enterprise to keep compliant with growing regulatory requirements. As jurisdictions around the globe increasingly target cybersecurity with new regulations (Europe’s new GDPR rules and California’s sweeping new privacy regulations come to mind), businesses have become even more preoccupied with compliance than ever.
Yet compliance concerns, while justified, should not become the focal point of an enterprise’s cybersecurity efforts. Compliance can be addressed by employing a different sort of mindset, one I’ve referred to before as a “Copernican shift.”
Just as the astronomer Copernicus determined that it’s the earth that orbits the sun, and not the other way around, CISOs and CIOs must ensure that their company’s cybersecurity revolves around the real business risks that it faces – and not some set of government requirements, however well-intentioned.
This shift in thinking is integral to undertaking the holistic approach described here. It clears the way for an enterprise to focus on the cyber-risks most important and relevant to its company, by developing resilient defenses that detect and ward off established threats, while quickly adapting to new ones.
In the end, working toward cyber-resilience also makes it easier to comply with new government regulations, because when the company is doing the right things to protect its business, compliance is the natural by-product.
Plan for CISO Turnover
The current skills gap in the cyber-workforce doesn’t just affect staffing, but leadership as well. The CISO position at many companies is something of a revolving door. Tenure is often measured in months, not years, and each new CISO feels the need to put his or her own unique imprint on the enterprise’s security strategy.
That leads to inconsistency that can seriously undermine an enterprise’s efforts to base its de-risking strategy on objective threats that can be quantified and measured, as opposed to the opinions and predispositions of each new occupant of the CISO’s office. To mitigate this problem, CISOs and others must base their controls on the assets and processes that their boards have deemed most critical, using the approach outlined above.
All the challenges described here are closely interrelated, and successfully resolving all of them depends on developing a strong cybersecurity culture with a holistic approach to risk-management as its center of gravity.