CISO Rising: New Roles and ResponsibilitiesBy Guest Author | Posted 2014-06-06 Email Print
Rather than managing technology, today’s CISOs are responsible for a much deeper and broader set of interrelated tasks that involve risk and governance.
Just as the new-style executive leaders and CISOs do, an effective cyber-strategy bridges technology and business in a holistic way. It enables and ensures the integration, analysis and monitoring of business insights and data from across the organization to support activities that include controls monitoring, threat detection and reporting.
In addition to reducing cyber-risk, the best strategies will have a broader scope and impact, providing a platform for value creation and growth by underpinning confidence in the security of online activities. These approaches also will enable businesses to take calculated risks, invest in new ideas and realize the true potential of e-commerce.
A Foundation for Best Practices
As today’s CISOs seek to create holistic and nimble cyber-security plans, they focus on these core elements, which form a foundation for best practices:
· Proactive planning based on a comprehensive vulnerability assessment. As converged security executives, CISOs are now charged with fully assessing where a company may have shortfalls in its cyber-security program. This includes a thorough assessment of all external-facing areas of vulnerability, value and supply chain risks, and the level of employees’ awareness of their role in cyber-attacks.
Assessments may also include benchmarking against competitors, which can enable companies to craft robust crisis management and response plans and build robust business cases for investments.
· Cross-business, cross-functional cyber-security committees. By generating proper support from each area of the business (legal, marketing, finance, human resources, customer service, etc.), CISOs are working to ensure that responses to attacks are never in a silo. For the legal department, this may mean gaining an understanding of how an attack could affect operations in various geographies and the required response plan to notify stakeholders in that specific region.
For human resources, this may include digital, social and online employee training that focuses on how to be more aware of the sources of risks, how to identify them and how to combat them. Overall, this approach ensures that each functional sector of a company has a vested interest in the effectiveness of the cyber-security strategy.
· Cyber-security strategy as a business advantage. The CISO’s role also extends to educating external stakeholders on the positive attributes a cyber-security strategy can bring to operations. In fact, much like the Good Housekeeping seal in the United States or the Kitemark in the United Kingdom, a proven cyber-security strategy can often serve as a powerful business differentiator and also can support stakeholder confidence before, during and after an event.
As attacks mount and the distinction between internal and external threats becomes less relevant in today’s cyber-world, CISOs are playing an increasingly important role at the intersection of technology, business and risk—and they are wielding much more influence than ever before. Indeed, CISOs, working in partnership with the C-suite and board of directors, are at the forefront of helping to make radical shifts in conventional thinking when it comes to cyber-security.
Therefore, the more authority CISOs are granted, the more they are embraced throughout the organization. And the more success they have moving from firefighting to a more proactive stance, the better prepared companies will be to protect their critical assets from an escalating global threat.
Al Lakhani and William Beer are managing directors at global professional services firm Alvarez & Marsal.