How CISOs can go beyond their defensive role and drive transformation

How can CISOs address challenges that come with repositioning themselves as business partners and innovators for effective cybersecurity?

Many Chief Information Security Officers (CISOs) now find themselves at the crossroads as they face the challenge of bridging the gap between cybersecurity and business needs in an increasingly complex and connected digital environment.

Traditionally, CISOs have focused on improving their organization’s defenses against cyber attackers. This continues to be an important role given that 59% of Southeast Asia (SEA) organizations saw more attacks in 2019, according to the EY Global Information Security Survey 2020 (GISS). 

However, they will need to adapt to perform this role effectively. Today’s enterprises are rapidly transforming to embrace emerging technologies and driving innovation to remain competitive and meet customers’ evolving expectations. CISOs who merely react to these changes will not be as effective as those who proactively keep pace with the organization’s transformation and look to develop an in-depth understanding of the business environment. The latter will be able to anticipate new threats, recognize potential new aggressors and respond ahead of time.

There is now an opportunity and a need for CISOs to be at the heart of innovation — to help organizations make new products and services cybersecure, and therefore more competitive as consumers and regulators place more importance on security. For example, when the cybersecurity labeling scheme for Wi-Fi routers and smart home hubs is introduced in the second half of 2020 in Singapore, CISOs of manufacturers that are able to help their organizations comply with these standards might give them an advantage in product differentiation. 

Clearly, CISOs must transform and expand their role beyond that of a technologist to become a business partner. They will need to lead from the frontline, and not just support from the backroom. As they do so, they lead the way for cybersecurity functions to change their ways of working and operate as enablers of innovation.  

In order to be effective in this expanded role, CISOs will need to diversify their skill sets to acquire both new technical and business capabilities. Essential business skills include problem-solving, communication and the ability to work collaboratively across departments to identify risks in the dynamic digital environment. They will also need a deeper understanding of emerging technologies and their applications. 

Challenge stereotypes and rebuild relationships 

It is not enough for CISOs to embrace their new role and proactively acquire skills to support it; they will also need to tackle existing stereotypes within the organization. When asked how the executive management team would describe the role of cybersecurity, only 8% of SEA respondents of the GISS agreed that the function “enables innovation with confidence”. A much higher percentage (32%) associated the function with its traditional role of protecting the enterprise. 

The difficulty in changing stereotypes is made worse by existing levels of distrust between cybersecurity functions and the rest of the business. According to the GISS, 37% of cybersecurity functions in SEA organizations have at best, neutral, if not nonexistent or mistrustful relationships with the lines of business.

Trust is an essential ingredient to foster openness and free up the exchange of ideas, which are critical for building a culture of innovation. Without strong mutual trust with the rest of the organization, CISOs will struggle to participate in innovation projects, and even if they do, cybersecurity is likely to be an afterthought. The GISS revealed that only 43% of SEA organizations involved their cybersecurity team right from the planning phase of a new business initiative. It is critical for cybersecurity to be a central consideration from the start of each new project — an approach called “Security by Design” — to avoid imperfect and costly solutions or impractical work-arounds.