Successful CISOs now act as business enablers. They’re no longer saying, “We can’t do it,” but rather are asking, “How can we do it?”
As a result, they may find themselves invited to join the conversation a lot sooner — ideally, on Day One as the enterprise begins planning its digitization and cloud migration/modernization moves.
CISOs increasingly have the ear of the CEO and boards. Just two years ago, this was not the norm. More than half of the CISOs and CIOs we surveyed told us they interacted with the CEO at least weekly; 43% interacted with the board at least once a week, in the past 12 months.
At periodic meetings with the CEO and boards, CISOs should shift from focusing solely on immediate or technical challenges to discuss where the business is headed and the implications for the cyber program. Cyber-savvy senior execs know that when cybersecurity teams are playing catch-up to their organizations’ ambitions, they’re at a severe disadvantage. CISOs should help assure them that whatever the business’ next venture, it can go forth boldly and securely — because the organization is cyber-ready.
These meetings and interactions are also a good opportunity to increase the cyber fluency — along with the digital savvy — of CEOs and boards.
Recent MIT research found that large enterprises whose executives understand emerging digital technologies’ potential effects on business success outperformed comparable companies without digital savvy by more than 48%. And yet only 7% of the 1,984 large companies MIT studied have digitally savvy executive teams. This needs to change.
Modern CISOs aren’t satisfied with merely educating their C-suite and board. Half said they’ve restructured the security team, and another 44% plan to do so this year and next. TMT organizations lead the pack, with 62% having already restructured their teams.
One change they’re making is in placing security team members on product development (49%) and business (48%) teams. We believe these moves put cybersecurity in its rightful place at the right tables at the right time, which is at the start of any strategy discussion and throughout implementation.
Putting security staff on product development and business teams can also help align cyber strategies to business strategies — a major pivot that has been going on for years. Another 45% said they are considering taking this step in 2021 and 2022.
TMT organizations are ahead in embedding security team members in business teams (56%), but lag in placing them on product development teams (41%). TMT (57%) and healthcare organizations (54%) are more likely to say they’re considering doing so this year or next.
Another thing organizations are doing to enhance security and privacy involves creating roles with specific responsibilities in domains adjacent to cybersecurity. Healthcare organizations are most likely to have appointed a chief privacy officer (61%) and over a quarter (28%) are considering naming a chief data officer next year — in a nod to the importance of data sharing and data-driven health outcomes in the industry.
Given increasing intrusions into supply chains and operations, industrial manufacturing organizations lag in appointing chief resilience officers (19%). That might soon change. Two-thirds (65%) are either “considering for next year” or “thinking of doing so this year.”
Forty-six percent of CISOs and CIOs have contracted with security managed services. We’ve seen how a security managed services model can help reduce personnel costs, scale up responses to sudden threats, and make the most of cybersecurity technologies without sending expenses spiralling. Financial services organizations tend to have large security teams, so they’re least likely to have already contracted with security managed services (37%) but are most likely to be “thinking of doing so this year” (51%).
Look to the future. In all your interactions — with the business, the board, the CEO, the product development teams — talk about what’s coming. Put current fires and fixes in the context of longer-term goals and plans to help improve your cyber posture.
Make it your business to demystify cyber. Help those around you to become cyber-savvy. Speak the language of business. Find creative ways to explain complex cyber issues. These acts alone can help you make a greater difference and earn trust.
Work with the CEO to understand competing values in building stakeholder trust. CEOs face hard strategic decisions. How do we balance customer privacy with monetizing data? How do we manage third-party risks while enabling fast, agile work? Be a partner in creating solutions that balance conflicting choices.
1. The cyber-threat landscape: The digital rush left many exposed
2. Big bets: Cloud security, cloud security, cloud security
3. People in cyber: Going all-in on cyber starts from the top
4. Despite heightened risks, hope flourishes
This US Digital Trust Insights Snapshot is a poll of 322 security and technology executives (CISOs, CIOs and similar titles) of US-based companies in April 2021. Sixty-nine percent of respondents are executives in large companies ($1 billion and above in revenues); 9% are in companies with $10 billion or more in revenues. Respondents come from a range of industries: Industrial manufacturing and automotive (23%), tech, media, telecom (19%), financial services (15%), consumer markets (15%), health (14%), and energy, utilities and mining (13%). PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.