Role of cybersecurity leadership needs to change

Cybersecurity leadership is exhausted, overwhelmed, and in “always-on” mode. Even more so now, with the world bracing for a global cyberwar as Russia invades Ukraine.

In recent weeks, Ukraine has been hit by several cyberattacks targeting its government and banking system, with experts blaming Russia. The flurry of attacks has led to fears of a wider digital conflict, with Western governments on alert for cyber threats from Russia.

The hacker group Anonymous has declared a cyberwar against Russia, and has already claimed an attack on the state TV network “Russia Today”, while social media companies, under pressure to find policies, have rushed to make statements about how they handle information about the war.

The pressure on cybersecurity professionals was already increasing due to the growing misalignment of stakeholder expectations within their organizations. As a result, Security and Risk Management (SRM) leadership had already been investing significantly in assessing and influencing third-party cyber health. Employees are making more decisions with cyber risk implications, and executive committees being established outside the scope of the cybersecurity leader.

Recent research from Gartner reveals that responsibility for cyber risk has shifted away from IT. An increasingly distributed ecosystem is leading to a loss of direct decision-making control. The consultancy predicts that half of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026.

This affects the timeliness and quality of information risk decisions, which are increasingly being made by stakeholders outside the IT or security line of sight. In response, Gartner expects to see an inevitable shift informal accountability to business leaders accountable to the CEO for delivering strategic objectives such as revenue and customer satisfaction.

As formal responsibility for cyber risk shifts to business, Gartner analysts recommend reshaping the role of cybersecurity leadership for companies to succeed in their defense efforts.

“The CISO role must evolve from being the person actually responsible for handling cyber risks to being responsible for ensuring business leaders have the skills and knowledge to make informed, high-quality decisions about information risks,” explains Sam Olyaei, research director at the consultancy.

Cybersecurity will be included in ESG disclosures

Investor interest, public pressure, employee demands, and government regulations are strengthening incentives for organizations to track and report on cybersecurity goals and metrics within their environmental, social, and governance (ESG) efforts as a business requirement.

O interesse dos investidores, a pressão pública, as exigências dos trabalhadores e os regulamentos governamentais estão a reforçar os incentivos para que as organizações rastreiem e informem sobre objectivos e métricas de segurança cibernética no âmbito dos seus esforços ambientais, sociais e de governação (ESG) como um requisito empresarial.

“Expectations that organizations should be more transparent about their security risks have increased, resulting in public demand for greater transparency in their ESG reporting,” says Claude Mandy, research director at Gartner. “Cybersecurity is no longer just a risk to the organization, but a societal risk.”

Translation will be a big challenge for cybersecurity leadership: explaining the risk dynamics to the board and operational committees in terms of collaboration and cooperation. They need to show with clear attitudes that they are not trying to stop the business, but support the increased trust of their consumers, investors, and partners. Security should be a model of shared responsibility, owned by all.

Not coincidentally, expanding strategic conversations with business areas, seeking to align business objectives with security needs, tops KPMG’s cybersecurity trends for 2022.

It is a difficult task, but not impossible. Senior leadership has begun to understand that managing cyber risk for competitive advantage and long-term success starts at the boardroom and C-suite. Offloading strategic decision-making and risk management, especially the risk inherent in digitization, is no longer enough. Modern security solutions can only accomplish so much in terms of risk reduction if the business objectives do not include an embedded, robust security framework.

Looking beyond the digital changes created from the pandemic – remote and secure work environments, digital engagement, and customer service – this hyper-connected world will likely face expanding cyber risks on multiple global fronts. Cybercriminals are using increasingly sophisticated tools and technologies, amplifying the challenge organizations face in protecting and building personalized cyber defense and support.

Security and Risk Management leadership will increasingly need to demonstrate an organizational commitment to reducing the societal problems that can arise from cybersecurity incidents, such as data breaches of personal customer information; potential security concerns from the use of cyber-physical systems; potential for misuse and abuse in their products; and malicious cyber activity against critical infrastructure.

Cyberwar increases pressure

Today’s global business environment is continuously impacted by geopolitical, environmental, social, and technological uncertainties. The resulting cyber risk landscape is fuelled by an ever-increasing volume of sensitive data moving across interconnected and integrated networks.

As Connectivity Wars, a collection of essays published by the European Council on Foreign Relations makes clear, the hyperconnectivity of the global system allows actors – without resorting to open warfare – to cause serious damage in other geopolitical domains, such as the internet, on which our economies have come to depend.

The cyber dimension of the confrontation over Ukraine, therefore, should not be underestimated.

A strategic factor in cyber warfare is the resilience of local businesses to cyber-attacks. Companies need to strengthen their security measures to reduce the benefits of an attack on a nation-state. The following is a set of measures to ensure corporate cybersecurity, which can promote national security:

• Create obstacles to breaches of your network
• Use web application firewalls (WAF) to detect, investigate and quickly block malicious traffic
• Respond quickly to a breach and restore business operations
• Facilitating cooperation between the public and private sectors

Key actions for 2022

1. Make the transition from traditional security thinking around data confidentiality and availability and start thinking about striving for integrity and resilience
2. Engage key organizational stakeholders to commit to a security strategy that can protect organizational and customer data, manage risk and be responsive to short and long-term business priorities
3. Reshape the thinking in the executive suite when it comes to security, focusing on practical business risk rather than expense and speed
4. Think less about operational key performance indicators (KPIs) and key risk indicators (KRIs) and focus on themes and trends in the underlying data: incident types, internal and external program gaps and data-related activities that are in progress, planned, or awaiting approval
5. Build relationships with key business areas, raising awareness of how quickly they can achieve objectives, incorporating security versus what they might lose in the event of a breach