CISO Must Integrate Security into the Organizational Culture

In the last two years or so, Chief information security officers (CISOs) have faced more disruption than ever as a result of the Covid-19 crisis. The overnight switch to remote work, unprecedented spike in cyber-attacks and tighter budgets – all contributed to the challenges of today’s IT security leaders. As a result, the role of the CISO has never been more important. As this year comes to a close and we move on to the New Year, amidst continued uncertainty, CXOToday chats up with Alok Khandelwal, Managing Director, Accenture Security Lead – Advanced Technology Centers in India, who shares his perspectives on the security best practices in the fast-changing world How CISOs are coping with the challenges and building robust cybersecurity strategy in 2022 and beyond. Excerpts.

How has the role of CISOs evolved in the last 18-20 months?

The rapid acceptance and adoption of hybrid work model globally has increased risks of high-profile, sophisticated cyber attacks. Organizations are progressively taking a proactive approach to security to ensure it remains in top gear to effectively counter, moving beyond playing catch-up. This remarkable shift has elevated the role of CISOs within organizations, with security becoming a key topic in the boardroom. In fact, our latest report highlights that 72% of CISOs are now directly reporting to CEOs or Boards as compared to 59% in 2020 and they are being given more direct control over budget allocations towards security processes.

The traditional role of CISO as technologist and custodian of organizational data and assets is evolving to the role of a strategist and an advisor. In the capacity of a strategist, CISOs are acquiring profound understanding of the business objectives and requirements, where they work in close partnership with business stakeholders to build cybersecurity strategies that are better aligned with business priorities and risks. As an advisor, CISOs are keeping an eye on the ever-evolving threat vectors and landscape, enabling them to provide advice on how to proactively work on improving resiliency (reducing the impact) and then chasing the movable target of stopping the attacks.

The Accenture research shows that despite the awareness, more than half of large companies are not able to effectively stop cyber attacks or reduce the impact of breaches. Where do you see the gap?

Our research has provided us insights on classifying organizations based on the alignment of their cyber resilience with business strategy. The following types of organizations will witness increased risk of cyber-attacks and higher cost of breaches:

• Vulnerables – organisations who do not view cybersecurity as strategic and have weak alignment with business strategy
• Cyber Risk Takers –organizations who put business strategy ahead of cyber security, hence security cannot be implemented effectively
• Business Blockers – security program dominates in these organisations, stringent security requirements delay the projects (go to market) and hamper the client experience

All the above approaches are not good from a security perspective. In addition to this, differences of opinion between security and non-security leaders on important factors such as security effectiveness, attack risks, and resource allocation etc. are preventing organizations from realizing their cybersecurity objectives. Close partnership with these two teams will help in driving down the risk and ensure business outcomes are targeted, measured and met. For example, if organizations are embedding security at the end of their cloud-first journey, they are at a heightened risk of cyber attacks and can delay business outcomes. It is important that CISOs work in close alignment with the business and reset the security posture earlier and more effectively, to drive full value from cloud.

As security is no longer a standalone IT-specific function, how can CISOs effectively collaborate with the C-suite and the board to make them understand these business risks and priorities?

CISOs must collaborate with the right executives in the organization to gain a broader perspective that serves the whole business well. They must measure and monitor their organization’s risk profile often to continuously improve their security function and enable the business to manage risk. And by making this data available to the leadership, CISOs can better align with the business.

Further, companies must change their existing organizational hierarchy to ensure CISOs have a seat at the table. This shift will allow CISOs to maintain a close relationship with business leaders and the Board and consult with them while developing the organization’s cybersecurity strategy.

Ransomware has become an increasingly important topic in the context of cybersecurity over the last 18 months. What are your suggestions for companies to prepare for such attacks?

Bringing together the capabilities of cybersecurity, business continuity and organization resilience will be crucial to building cyber-resilient organizations. Our report identifies a small minority of the research sample—the top 5 percent— as “Cyber Champions” or organizations that strike a balance between cybersecurity and business objectives, are better positioned to prevent attacks, find, and fix breaches faster, and reduce their impact.

The pandemic has taught us the how the simple hygiene regime can help us protect from virus infections – this goes with the cyber-world as well. Cyber hygiene such as hardening of operating systems, patching vulnerabilities on time, performing configuration and access reviews sounds simple, however, when implemented properly can provide the first level of protection. Network segmentation, encrypting backup data and testing backup restoration are some of the important factors from a resilience point of view.

It is critical that companies adopt a proactive approach to security and embed security across the business ecosystem and for all technology implementations. The shift from traditional methods that entailed significant human interventions and longer turnaround times for security assessments, towards Agile and DevOps, will allow organizations to not only effectively prepare for cyber attacks, but also respond quickly to threats and minimize the damage while ensuring business continuity.

However, this requires a high degree of security automation, and security subject matter experts integrated with technical teams, to enable faster and more secure deployments. Security solutions also require an industry-specific focus – for example, the security approach for the finance sector should be different from that of the manufacturing industry.

While large enterprises to an extent have the muscle to counter some of the multi-spectrum attacks, can you offer some insights to SMBs to deal with the ever-evolving threat landscape?

Organizations, regardless of their size, must take a ‘shift-left’ approach to security when it comes to technology implementation. This means integrating security processes right from the inception of the technology and throughout the build cycle, rather than just the end. This approach has dual benefits – enables security early on and saving for organizations which otherwise would have been invested on remediation of security findings close to go-to-market.

The last decade has taught us simply stopping attacks is futile – this works for known attacks but not the advanced threats which businesses are facing today. Irrespective to the size of organizations, we cannot stop attacks. We need to build an architecture that will reduce the impact of cyber-attack and enable recovery faster. In simple words, build resiliency. The small and midsize business should use the strategy of implementing proper cyber hygiene, be vocal about cybersecurity across the organization, by building a cyber culture among all its people and performing a robust security risk assessment of their supply chain.

In addition to technology solutions, what are some of the best security practices CIO/CISOs should know and implement to build a good cybersecurity strategy in 2022 and beyond?

Organizations can no longer afford to focus solely on business growth and must establish a robust synergistic alignment between security and business operations. By aligning their cybersecurity efforts with the business priorities and seeking out the best practices to run their security operations, CIOs and CISOs can not only build a successful cybersecurity strategy, but also strengthen their organization’s position as a cyber-resilient business.

Security will need to be a key topic of discussion in the boardroom to ensure it remains priority when making important business decisions. There is also an increasing need to extend cybersecurity efforts beyond the organization’s own operations to that of its entire ecosystem, as the value chain is one of the most vulnerable areas through which threat actors can gain access to a company’s network. Such a holistic outlook towards security will be imperative.Integrating security as a part of the organizational culture would be a top priority for CISOs in the coming years.

Lastly, building offensive security frameworks and Zero Trust will be key towards building robust enterprise security architecture. As 5G and IoT become more mainstream, CISOs will be required to think out-of-the-box to identify and control threats, as the speed of 5G and proliferation of IoT will dramatically increase the attack surface.