Last month, India woke up to one of the biggest cybersecurity breaches in the history of its banking sector. Malware, a software that interferes with a computer system, was detected in some automated teller machines and presumably allowed hackers to extract money from bank accounts through debit cards. Estimates of the number of compromised cards ran anywhere from 3.2 million to over 6 million.
The country’s central bank quickly bore down on the financial institutions, issuing a number of directives meant to contain the breach and minimize the impact of future cyber threats. One of the instructions to banking leaders was to upgrade the role of their chief information security officers (CISOs) —from one that is limited to the operational level to one that is involved at the strategic level.
In many organizations, the primary responsibilities of CISOs still revolve around monitoring cyber threats and meeting compliance requirements. But as more and more assets, such as customer data and intellectual property, become targets for information theft, this reactive position is proving insufficient in securing organizations.
In a report entitled “The new CISO: Leading the strategic security organization,” Deloitte argues for exactly what India’s central bank asked for: A stronger, more strategic leadership role for CISOs, one that is better integrated with the business and allows these executives to manage information risks more strategically. The road to that elevated position, however, is paved with challenges.
A cybersecurity confidence survey conducted by a security software company found that while 70 percent of executives are confident about their current security solutions, only 50 percent of information technology (IT) professionals share the sentiment.
This disconnect is rooted in a handful of issues, including a shortage of talent, which forces CISOs to attend to day-to-day monitoring and enforcing tasks instead of focusing on big-picture issues. Also, many CISOs, who are technologists by trade, don’t necessarily receive the management training they need to get a deeper knowledge of their organization’s business or a broader perspective of cyber threats as risk issues.
Business leaders and CISOs will have to work together to successfully upgrade the latter’s role and create a security organization that is a more strategic, integrated partner of the business. Here are some ways to achieve that.
Assume strategist and advisor traits
Much of a CISO’s time and resources are spent managing and responding to threats. To transition to more of an advisor role, CISOs will have to learn to differentiate between what is more and what is less important, and stop trying to protect the whole environment by themselves.
By training, CISOs tend to be more risk-averse compared to, say, a business unit leader: The CISO is always looking at ways to protect the organization, while a business unit leader may be of the mind that accepting more risks can increase business opportunities. Reconciling these attitudes may be difficult, but it does put the CISO in an ideal position to help make company leaders and employees aware of and understand cyber risks, thus, equipping them with the information they need to make carefully weighed decisions.
But before CISOs can have that conversation with company leaders, they need to adjust their mindset from a security and compliance focus to more of risk and strategy management. They need to understand risk in terms of its potential to affect competitive advantage, business growth, and revenue expansion. Moreover, they need to be able to measure those risks in ways that allow leaders to relate.
One of the CISOs Deloitte spoke with created a menu of security metrics specific to his organization and then worked with his various stakeholders to create a cyber risk dashboard for each of the company’s business areas. This helped business leaders understand where risks may be acceptable and which risk remediations should be prioritized.
Address talent demands
A Deloitte CISO Labs survey found that over 75 percent of participating CISOs report a lack of skilled talent and effective team structure to support their priorities. This makes it difficult for CISOs to assume a more strategic role as they are mired in the daily tasks of securing their organizations.
To address this talent shortage, CISOs should focus on developing a security-specific talent strategy that builds on existing skill sets, better integrates with stakeholders, and plans to fill the future talent pipeline.
Some organizations have developed relationships with technical institutes and universities to jointly identify needed skills and then develop those skills in students—both in the classroom and in real work settings through internship programs. Another talent development strategy is “war games” training—simulated scenarios designed to test an organization’s preparedness for various cyberattacks and to provide employees with hands-on experience for such events.
CISOs should also consider focusing on greater collaboration with other leaders so that they develop a better understanding of their organization’s business and, in turn, business leaders can work on enhancing their skill sets in relation to cyber security.
As cyber risks grow in number and become more sophisticated, CISOs will have to step up to the plate if they are to successfully protect their organizations or recover from an attack. It’s a demanding role, and one that requires a seat at the leadership table and support from the rest of management. As India’s banking sector has learned, a CISO with a strategic mindset could spell the difference between a contained attack and a major cybersecurity breach.
The author is the Risk Advisory Leader of Navarro Amper & Co., the local member firm of Deloitte Southeast Asia Ltd., a member firm of Deloitte Touche Tohmatsu Limited—comprising Deloitte practices operating in Brunei, Cambodia, Guam, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam.