Home ›› 13 Oct 2022 ›› Opinion
Globally digital transformation has become a key initiative for many enterprises. The COVID-19 outbreak has pushed enterprises even further to quicken their digital journeys. As they do this, cybersecurity is constantly raised as a critical concern, but it should also be viewed as a key enabler. If done right, cybersecurity can remove obstacles to digital transformation and accelerate faster adoption. It can help the enterprise avoid increased risk and proactively reduce it. For that to happen, the security leader (the CISO – Chief Information Security Officer or Head of Information Security, whatever the title may be) needs to evolve with time and become transformational leaders who can empower the business and drive innovation.
Digital transformation demands more cybersecurity. The security leader should propose controls or workarounds to protect the business by all means without impeding or slowing any innovation. Business leaders also should work with security to balance opportunity and risk. The security programme alignment to the business begins with alignment on accountability for chance and assigning roles and responsibilities for risk management. Business success or survival may depend on the ability to undertake bold cyber digital transformation initiatives.
Technology risk and regulation requirements also increase when organizations transform into digital businesses—aligning cybersecurity and IT with business leaders and thus processes for digitization becomes vital. Rational cybersecurity can ensure an explicitly-defined security programme based on the risks, culture, and capabilities of a business organization, endorsed by management and executives, and aligned with the organization’s mission, stakeholders, and processes.
Primarily, alignment is essential in significant areas, like security culture, governance and risk management, control benchmarking, simplifying IT and security, access control, and cyber-resilience. Security programmes should align the business priority, focus on building a healthy security culture and governance model, manage risk in the language of the business, establish a control baseline, simplify and rationalize IT and security, and govern and control access without creating a drag on the business, institute cyber-resilience, detection, response, and recovery.
Strengthening a security culture is critical. Establishing information classification, data protection, and identity and access management controls is essential. Access restriction not only reduces risk or complies with regulatory requirements, but it is vital to enable appropriate digital relationships and data sharing with internal and external users.
Information risk priority and accountability
Information risk requires too many threats to assess individually, too much vulnerability to mitigate by phases or at once, and various control choices. In addition, businesses have rules and requirements for how information assets should be accessed, shared, or used. Therefore, organizations should secondarily determine the priority based on needs and opportunities, risk and compliance, and only then based on IT constraints and dependencies. Working in phases can significantly improve most businesses, as risk is the core topic for Rational Cybersecurity.
To own the risks and make the business accountable or responsible for information risk, it is necessary to understand the risks in business terms like time to market, monetary losses, opportunity cost, and the brand. Then, the business needs to materialize risks into losses by establishing baseline controls to mitigate risks. The optimal rules will vary for different types of organizations. The critical thing to recognize is that some subset businesses should implement a matter of basic security hygiene.
The ‘dwell time’ and Protecting ‘crown jewels’
The ‘dwell time’ is “critical”. However, the continuous focus should be to keep the attackers out of networks, detect and eradicate most that penetrate within minutes or hours, and at all times, keep them away from the organization’s ‘crown jewels’. Even top-shelf cybercriminals can be resisted, detected, and delayed for some time by the right set of cyber-resilience measures. CISO has a continuous journey towards better cyber resilience through multiple steps, such as identifying - Critical Business Assets, Risk Scenarios, and Contingency Plans; Detect - Cybersecurity Events Consistently and Promptly, Coordinate - Detection with Users, Business Stakeholders, and External Parties, Establish - the Incident Response Program and Evolve for Cyber-Resilience, Recover - from Incidents Caused by Cyberattacks and Operational Outages, and Activate - Business Continuity and Disaster Recovery Plans.
Cybersecurity is not a one-size-fits-all proposition
Management and Board of Directors may want to know from the CISO: How much investment is enough? What approaches to cybersecurity are suitable for the organization? There are no straight or easy answers to these questions; it depends on multiple scales, the cybersecurity impact on the kind of business one is in, and the digitization realities of the business. There are no easy answers to these questions. It depends on multiple scales (e.g., size of the organization, the complexity of the IT infrastructure, security pressure, national and industry origins, maturity), the cybersecurity effort, the kind of business one is in, and the IT realities of the business, etc.
Establish Rational Cybersecurity
To establish rational cybersecurity, creating shared accountability and responsibility between business and security leaders is mandatory as the base point for alignment on information risks. Business leaders on risks and security leaders should manage risks under the business direction. Cybersecurity cannot operate in a silo, and alignment with multiple business functions is essential to be effective. It is to be remembered that cybersecurity works best when the business explicitly acknowledges its cross-functional reality and gives security leaders the resources and support structures required to be effective.
The Rational Cybersecurity Success Plan may be developed following a methodology with a few steps, like scoping out priority focus areas, identifying stakeholders (in security-related business roles), making a quick assessment of your current state, defining improvement objectives (within your priority focus areas), identify metrics, and track progress.
Cybersecurity to act as a business partner
To be successful in the whole journey, the CISO must act as the authoritative ‘champion’ for cybersecurity, have a compelling stake in the strategy, and provide guidance toward IT and digital transformation. The CISO must continually educate businesses and operations on what they need to know about cybersecurity from the business perspective with a frame of business risks, impacts, or opportunities. The CISO functions as more of a business leader and communicator than a technologist. Align security with the business is mandatory. Once business leaders and others see cybersecurity for the strategic programme and perceive them as business partners, CISOs will be more able to count on businesspeople to perform their security-related duties related to the roles. Business risk owners can also coach others to make better-informed risk decisions.
Rational cybersecurity demands a defined security programme based on risk management, organization culture, and overall capabilities of the organizations. Most importantly, the programme required enough endorsement from senior management and alignment with the enterprise organization’s mission, vision, and strategy. Awareness among all stakeholders is crucial. It is rare to find many professionals disagreeing about the need to align security and the business. If security leaders focus on cybersecurity-business alignment– organizations’ capabilities will mature significantly and improve business’ cybersecurity outcomes. Through improved business alignment, security programmes can be much more effective. Quantifying the risks and proposing realistic alternatives to continue the digital journey is crucial. The security team should also act as a coach to businesses or technology and others. Together, business and security leaders can accelerate digital transformation and make the endeavour easy and secure.
The writer is an information security and Cyber Digital Transformation practitioner and technology expert. He can be contacted at bmzahidul.haque@gmail.com
