People in cyber: Going all-in on cyber starts from the top

Successful CISOs now act as business enablers. They’re no longer saying, “We can’t do it,” but rather are asking, “How can we do it?”

As a result, they may find themselves invited to join the conversation a lot sooner—ideally, on Day One as the enterprise begins planning its digitization and cloud migration/modernization moves.

CISOs increasingly have the ear of the CEO and boards. Just two years ago, this was not the norm. More than half of the CISOs and CIOs we surveyed told us they interacted with the CEO at least weekly; 43% interacted with the board at least once a week, in the past 12 months.

At periodic meetings with the CEO and boards, CISOs should shift from focusing solely on immediate or technical challenges to discuss where the business is headed and the implications for the cyber program. Cyber-savvy senior execs know that when cybersecurity teams are playing catch-up to their organizations’ ambitions, they’re at a severe disadvantage. CISOs should help assure them that whatever the business’ next venture, it can go forth boldly and securely—because the organization is cyber-ready.

These meetings and interactions are also a good opportunity to increase the cyber fluency—along with the digital savvy—of CEOs and boards. 

Recent MIT research found that large enterprises whose executives understand emerging digital technologies’ potential effects on business success outperformed comparable companies without digital savvy by more than 48%. And yet only 7% of the 1,984 large companies MIT studied have digitally savvy executive teams. This needs to change.

Modern CISOs aren’t satisfied with merely educating their C-suite and board. Half said they’ve restructured the security team, and another 44% plan to do so this year and next. TMT organizations lead the pack, with 62% having already restructured their teams.

One change they’re making is in placing security team members on product development (49%) and business (48%) teams. We believe these moves put cybersecurity in its rightful place at the right tables at the right time, which is at the start of any strategy discussion and throughout implementation. 

Putting security staff on product development and business teams can also help align cyber strategies to business strategies—a major pivot that has been going on for years. Another 45% said they are considering taking this step in 2021 and 2022.

TMT organizations are ahead in embedding security team members in business teams (56%), but lag in placing them on product development teams (41%). TMT (57%) and healthcare organizations (54%) are more likely to say they’re considering doing so this year or next.

Another thing organizations are doing to enhance security and privacy involves creating roles with specific responsibilities in domains adjacent to cybersecurity. Healthcare organizations are most likely to have appointed a chief privacy officer (61%) and over a quarter (28%) are considering naming a chief data officer next year—in a nod to the importance of data sharing and data-driven health outcomes in the industry. 

Given increasing intrusions into supply chains and operations, industrial manufacturing organizations lag in appointing chief resilience officers (19%). That might soon change. Two-thirds (65%) are either “considering for next year” or “thinking of doing so this year.”

Forty-six percent of CISOs and CIOs have contracted with security managed services. We’ve seen how a security managed services model can help reduce personnel costs, scale up responses to sudden threats, and make the most of cybersecurity technologies without sending expenses spiralling. Financial services organizations tend to have large security teams, so they’re least likely to have already contracted with security managed services (37%) but are most likely to be “thinking of doing so this year” (51%).