The CISO must integrate security into the organizational culture

Over the past two years or so, Chief Information Security Officers (CISOs) have faced more disruption than ever due to the Covid-19 crisis. The overnight shift to remote working, the unprecedented spike in cyberattacks, and tighter budgets have all contributed to the challenges facing today’s IT security leaders. Therefore, the role of the CISO has never been more important. As this year draws to a close and we move into the new year, amid continued uncertainty, CXOToday chats with Alok Khandelwal, Managing Director, Head of Security Accenture – India Advanced Technology Centers, who shares his perspective on security best practices in a rapidly changing world How CISOs are addressing challenges and building a strong cybersecurity strategy in 2022 and beyond. Extracts.

How has the role of CISOs evolved over the past 18-20 months?

The rapid acceptance and adoption of the hybrid working model globally has increased the risks of sophisticated and high-profile cyberattacks. Organizations are gradually taking a proactive approach to security to ensure it stays on top gear to effectively counter, going beyond catch-up. This remarkable change has elevated the role of CISOs within organizations, with security becoming a key topic in the boardroom. In fact, our last report highlights that 72% of CISOs now report directly to CEOs or boards, up from 59% in 2020, and have more direct control over budget allocations to security processes.

The CISO’s traditional role as technologist and guardian of data and organizational assets is evolving into the role of strategist and advisor. As a strategist, CISOs gain a deep understanding of business goals and requirements, where they work in close partnership with business stakeholders to develop cybersecurity strategies that are better aligned with business priorities and risks. the company. As advisors, CISOs keep tabs on the ever-changing threat vectors and landscape, enabling them to provide advice on how to proactively work to improve resilience (reduce impact), and then pursue the moving target to stop the attacks.

Accenture research shows that despite awareness, more than half of large organizations are unable to effectively stop cyberattacks or reduce the impact of breaches. Where do you see the gap?

Our research has provided us with insights into the classification of organizations based on the alignment of their cyber resilience with business strategy. The following types of organizations will experience an increased risk of cyberattacks and higher cost of breaches:

  • Vulnerable – organizations that do not view cybersecurity as strategic and have low alignment with business strategy
  • Cyber ​​Risk Takers – organizations that put business strategy ahead of cybersecurity, so security cannot be implemented effectively
  • Business Blockers – security agenda dominates in these organizations, stringent security requirements delay projects (go to market) and hinder customer experience

Not all of the above approaches are good from a security perspective. Additionally, differences of opinion between security managers and others on important factors such as security effectiveness, attack risks, and resource allocation, etc. prevent organizations from achieving their cybersecurity goals. A close partnership with these two teams will help reduce risk and ensure that business results are targeted, measured and achieved. For example, if organizations integrate security at the end of their journey to the cloud, they are at increased risk of cyberattacks and can delay business results. It’s important for CISOs to work closely with the business and reset the security posture sooner and more effectively, to take full advantage of the cloud.

With security no longer a standalone IT function, how can CISOs effectively collaborate with the C-suite and board to make them understand these business risks and priorities?

CISOs need to partner with the right executives in the organization to gain a broader perspective that serves the entire business well. They often need to measure and monitor their organization’s risk profile to continually improve their security function and enable the business to manage risk. And by making this data available to management, CISOs can better align with the business.

Additionally, companies need to modify their existing organizational hierarchy to ensure that CISOs have a place at the table. This change will allow CISOs to maintain a close relationship with and consult with business leaders and the board while developing the organization’s cybersecurity strategy.

Ransomware has become an increasingly important topic in the cybersecurity context over the past 18 months. What are your suggestions for companies to prepare for such attacks?

Bringing together the cybersecurity, business continuity and resilience capabilities of organizations will be crucial to building cyber-resilient organizations. Our report identifies a small minority of the research sample – the top 5% – as “cyberchampions” or organizations that balance cybersecurity and business goals, are better positioned to prevent attacks, find and fix violations faster and reduce their impact.

The pandemic has taught us how a simple hygiene regimen can help protect us from viral infections – that goes for the cyber world too. Cyber ​​hygiene, such as hardening operating systems, patching vulnerabilities on time, performing configuration and access reviews, sounds simple, but when properly implemented, it can provide the first level of protection. Network segmentation, backup data encryption, and backup restore testing are some of the important factors from a resiliency perspective.

It is critical that enterprises take a proactive approach to security and embed security across the entire business ecosystem and for all technology implementations. Moving from traditional methods that involved significant human intervention and longer turnaround times for security assessments, to Agile and DevOps, will allow organizations to not only effectively prepare for cyberattacks, but also respond quickly to threats and minimize damage while ensuring business continuity.

However, this requires a high degree of security automation and subject matter experts embedded into technical teams, to enable faster and more secure deployments. Security solutions also require industry-specific attention – for example, the approach to security for the financial sector must be different from that of the manufacturing industry.

While large enterprises have some means to counter some of the multi-spectrum attacks, can you offer SMBs insights to deal with the ever-changing threat landscape?

Organizations of all sizes need to take a “left-shifted” approach to security when it comes to implementing technology. This means integrating security processes from the start of the technology and throughout the construction cycle, rather than at the end. This approach has a dual benefit: enables early security and savings for organizations that would otherwise have been invested in remediating near-to-market security outcomes.

The past decade has taught us that stopping attacks is futile – it works for known attacks but not for the advanced threats facing businesses today. No matter the size of organizations, we can’t stop the attacks. We need to build an architecture that will reduce the impact of cyberattacks and enable faster recovery. Simply put, build resilience. Small and medium-sized businesses should use the strategy of implementing proper cyber hygiene, raising their voice on cybersecurity throughout the organization, creating a cyber culture among all their employees, and performing a solid assessment of their supply chain security risks.

In addition to technology solutions, what are some of the security best practices that CIOs/CISOs should know and implement to build a good cybersecurity strategy in 2022 and beyond?

Organizations can no longer afford to focus solely on business growth and must establish a strong synergistic alignment between security and business operations. By aligning their cybersecurity efforts with business priorities and researching best practices for managing their security operations, CIOs and CISOs can not only build a successful cybersecurity strategy, but also strengthen their organization’s position by as a cyber-resilient company.

Security will need to be a key topic of discussion in the boardroom to ensure it remains a priority when making important business decisions. There is also a growing need to extend cybersecurity efforts beyond an organization’s own operations to those of its entire ecosystem, as the value chain is one of the most vulnerable areas per which threat actors can access a company’s network. Such a holistic view of security will be imperative. Integrating security into the organizational culture would be a top priority for CISOs in the years to come.

Finally, building offensive security frameworks and Zero Trust will be key to creating a robust enterprise security architecture. As 5G and IoT become mainstream, CISOs will need to think outside the box to identify and control threats, as the speed of 5G and the proliferation of IoT will dramatically increase the attack surface.