Rethinking Cybersecurity: From Financial Burden to Business Catalyst
2023 has proved to be another monumental year in the cybersecurity landscape—from unprecedented geopolitical events to new SEC legislation and rising AI concerns, the latest current affairs all share a common denominator: more cyber-attacks and growing pressures on the CISO role. But amidst the challenges, new research shows CISOs are making marked improvements in how cybersecurity is perceived in their organizations.
Cyber attackers have never had it better. Global cybersecurity incidents are surging after the pandemic and the increased adoption of third-party tools and applications. Malicious parties continue to have a field day with these highly expanded attack surfaces. To mitigate the continuous barrage of cyber incidents, regulators and oversight bodies have introduced many cyber-related compliance measures to improve corporate cybersecurity. The question of whether these efforts have improved security efficacy arose during the discussion, with Steffen's findings providing several key indicators supporting his position.
Steffen analyzed the perception of cybersecurity within the organization—specifically, whether perceptions had changed from viewing security as merely a protective mechanism or compliance requirement to a more strategic business initiative. After spending months with security teams and engaging thought leaders about their most significant hurdles in adopting more proactive, risk-based cybersecurity measures, Steffen observed that some organizations still regard security from a reactive mindset— as a cost and not an option— that is, the implementation of a security program to generate evidence/artifacts to satisfy compliance requirements or implementing defense mechanisms and hoping they are sufficient. At best, this approach to cybersecurity meets baseline security requirements but does not result in a mature security program. Without a risk-based cybersecurity methodology integrated into overall business operations, the CISO and security teams will continue to find it challenging to get support from organizational leadership.
Security teams must, therefore, move from a security and compliance-based approach to a risk-based approach to third-party risk management (TPRM). For example, instead of hoping that specific regulatory body-mandated controls will improve security, companies should move past the compliance mindset and adopt a risk-based approach that aligns with the organization's strategic objectives. By focusing proactively on risks, compliance and security requirements can still be satisfied, but the improved cybersecurity posture brings value to the organization through better compliance, fewer incidents, as well as other potential benefits (e.g., streamlined headcount, reduced costs, overall better business integration.) Cybersecurity and TPRM programs are now quantified.
CISO Seat at the Boardroom Table
Based on Steffen's research, most organizations already have a CISO in place—albeit these roles are fast changing. The pandemic forced organizations to immediately address existential, operational questions with direct cybersecurity relevance—for example, what type of immediate changes were necessary to support remote work, how this would impact security and vendor relationships, and more. These crucial considerations placed the CISO and security team front and center during the pandemic, yet many CISOs are still not part of the board.
The SEC introduced legislation earlier this year that required publicly traded companies to appoint an accountable security executive to their board of directors. Steffen says this ever-closer alignment of security and the business positions CISOs to have a real seat at the business table. With the CISO as a member of the organization's decision-making body, the security team now has a legitimate champion for realizing the values that security brings to the organization, resulting in a better fusion of security with business processes.
Of course, this also means assigning an accountable individual to shareholders if and when a breach should occur. Steffen sees the expanded CISO role evolving into a strategic advisor; to this end, CISOs should refine their communication skills and approaches in describing the organization's risk posture in a relevant and impactful manner to stakeholders.
Due to the dynamic nature of cybersecurity and its interplay with geopolitics and world events, CISOs are uniquely positioned to provide leadership and guidance to their board of directors—especially in helping them understand how current affairs impact the company's operating landscape, business, and security posture. CISOs can best articulate and demonstrate how their security efforts will impact the company, integrate with its overall business plan, and how security strategies will be carried out.
Security as a Business Enabler
Steffen interviewed various CISOs for the study, many from prominent and well-recognized brands. He notes that CISOs are shifting how they view cybersecurity, advancing the maturity of their programs and positioning security as a differentiator in their respective industries. This risk-based process is what is moving their programs from a cost center to a business enabler.
AI for Streamlining Third-Party Risk Management
Steffen called out that many CISOs struggle with prolonged third-party vendor vetting and investigation times, which result in lost advisement opportunities. Among all the benefits AI/ML brings to cybersecurity, one of the most tangible benefits is automation.
By leveraging AI, security teams can make initial third-party decisions based on predictive risk data and follow up with automated assessment workflows to gain deeper insight into the specific areas of concern. In this sense, automation and AI are shaping the future of cybersecurity, especially regarding vendor vetting and onboarding, as they allow security teams to perform due diligence better and faster.
Additionally, AI can help analyze and identify third-party gaps in security controls, and interpret those risk scores in the context of the business. AI enables deeper, potentially more proactive measures for assessing and mitigating vendor risk exposures.
Though it may seem contradictory in thought, moving from cybersecurity perceived as a cost center to a more proactive risk-based approach requires an investment in the right technology and tools. However, as evidenced in EMA's research study, CISOs are realizing a return on their investments, gaining efficiency and effectiveness in their TPRM programs, and increasing value and recognition for their roles in their organizations.
Get Cyber Risk Intel delivered to your inbox each week: