What is important to CISOs in 2022-23
Topics shaping the cybersecurity agenda, based on a wonderful article by PwC, read it here
If you’re a CISO, you have a packed agenda. Here’s what your day may include.
If you’re a cybersecurity leader, odds are you’re getting a lot of attention from every corner of the business these days. As remote work grows, digital transformation accelerates, geopolitical challenges escalate and regulations change, everyone wants to know what you’re doing to protect your company and build long-term cyber resilience: Are you setting up a foundation for long-term growth in the face of potential breaches, ransomware attacks and other threats? Here are some of the challenges that may fill your calendar on a typical day — and some ideas for how to navigate them to meet your growth goals.
Build cyber resilience
7:30 AM: News of supplier breach
For security in an interconnected world, it’s imperative to build technological and operational resilience that addresses possible third-party risks. You’ll need to be ready to protect critical assets, decrease downtime for core business processes, address regulatory implications and support a quick recovery. That requires more than just assessing and mitigating the impact. You’ll likely also need to engage with the third party to understand its response. You can then update senior management and the board and issue cyber-breach reports as the new law requires. Consider, too, applying lessons learned through metrics reporting, enhanced training and renewed awareness of dependencies.
Drive cyber-business alignment
Meet with business unit president
Seize this moment — when many leaders have named cyber threats as a top concern — to enable cybersecurity to more effectively support your company’s growth. Help business unit leaders understand security priorities, cyber leading practices and how to create a company-wide culture of cybersecurity. Ask for their help in designing — and securing funding for — cyber tools and processes that can help reduce friction for the business. To help support ongoing collaboration, explain some of the innovative approaches and technologies that can help automate cybersecurity to cut costs and provide more speed for the business. To drive ever-closer alignment between cyber and business strategy, set up regular discussions.
Find cyber talent and nurture it
Interview prospective cyber VP
If you’re like most CISOs, you’re looking to expand your team, but talent is scarce and expensive. You also may need to upskill your existing team to meet new threats around artificial intelligence, digital assets and more. Cyber-managed services can often fill the gaps, but without careful oversight, these external partners may introduce new risks.
When hiring new talent, consider your approach to recruiting. Can you look beyond candidates with technical backgrounds — many cyber roles don’t require coding experience — and reach out to new geographies that remote work has made accessible? You should also discuss options for partnerships with cyber managed services providers. If you choose that route, which can be highly effective in filling skill gaps, you’ll want to carefully assess the controls and risk management processes that you and your provider have in place.
Make cyber more transparent
10:30 AM: Meet with CRO
Are you prepared to report on cyber breaches within 72 hours? It’s just one of many growing demands for transparency coming from a new law and an SEC proposal. Failure to comply could lead not just to fines, but also to reputational damage. To meet the new requirements, work with your Chief Risk Officer, your general counsel and other senior executives. Your goal is to create an accurate, compelling narrative, set priorities and identify which rules will require concrete changes in your cyber risk management practices. Also consider how cybersecurity can plug into teams responsible for external reporting and how stakeholders may react to disclosures.
Identify and optimize resources
11:00 AM: Meet with CFO and CIO
Partner with your CFO and CIO to help transform cybersecurity so that you’re not just playing defense, but rather developing a big-picture plan to help reduce costs, grow revenue and stay ahead of emerging threats. Work with the CIO to cut costs and enhance defenses by eliminating overlapping capabilities, improving technology integration and increasing visibility.
For example, you may need to catalog your digital assets and identify end points that should be patched, retired or upgraded. Plan to present the CFO with a data-driven approach to investment: You can assess current and emerging threats systematically — and quantify the impact of a possible breach — with the help of cyber risk quantification. Together, the three of you can work out an approach that aligns your cyber resources, risks and exposures. The result should be cybersecurity that secures your company’s foundations and also supports the business by improving the customer experience, the employee experience and even speed to market.
Standardize and automate cyber tech
12:00 PM: Lunch with vendor
It’s usually a better idea to simplify and standardize cyber, rather than chasing after the latest technology fix. By standardizing cyber, you can help make it more feasible to deploy cyber leading practices across the company — including in different regulatory jurisdictions. That can also make it easier to automate more of cyber, which may help cut costs and reduce business friction. Verify that your vendor can help support simplification, either by unifying your tools on a single technology stack or working with your current stack. Ideally, solutions should also support “zero-trust security”: a suite of tools that continually authenticates and verifies each user, device, action and transaction.
1:00 PM: Meet with CTO on cloud security
Moving to the cloud changes the nature of information security. Make sure your Chief Technology Officer understands the security risks that your company will continue to face during and after cloud transformation, such as keeping your data and intellectual property safe. You also may wish to present the additional risks that a multi-cloud strategy might entail, as well as a plan to address them — such as a single solution to secure data across multiple clouds. Explain the benefits of automating parts of cloud security through secure cloud blueprints, hardened Infrastructure-as-Code (IaC) templates and tests to address vulnerabilities before release.
Plan for cyber crisis management
2:00 PM: Catch up on latest security news
Tolerating or even actively fostering cyber threats has become part of the playbook of certain state actors worldwide. Assess the risks to your company, its assets and its supply chain from cyber threats in crisis zones and from hostile state actors. To help gauge third-party risks to your operations, create or update a full inventory of vendors and subcontractors on which IT depends. Also consider building and strengthening relationships with national or local government agencies focused on cybersecurity.
Direct support where you need it
3:00 PM: Presentation to the board
Your main stakeholders — not just regulators — want to know how you’re protecting the company. An informed board can be a key ally in getting you the institutional support you need. Rather than taking an approach that’s too high-level, you can focus on the specific threats — such as ransomware, supply chain compromises, zero-day vulnerabilities, cloud breaches and cyber attacks-at-scale — that your company may face. A tabletop exercise can be a powerful tool to bring to life vulnerabilities, your plan to respond and any additional resources you may need to enhance defenses. Consider, too, explaining your incident response playbook and the state of your threat detection capabilities.
Align IT, OT to protect operations
7:00 PM: Dinner with VP of manufacturing
Despite your IT responsibilities, you’re limited in how you can protect some of your company’s most vulnerable environments in operations technology (OT). Often, control of these technology tools is not in your hands. Yet the damage could be severe if ransomware or other threats penetrate manufacturing, connected and Internet of Things (IoT) devices or other operational environments.
Deepen your relationship with the VP of manufacturing to better assign and align security responsibility, share data, create effective controls and integrate security-by-design into processes, products and services. You can help them add a security focus to their product and customer focus, thereby helping you better protect the company as its cyber digital transformation accelerates.
CISORead te rest in PWC web site
To read more articles about Cybersecurity Leadership, click here
What’s important to CISOs in 2022-23
What is important to CISOs
Build cyber resilience
Presentation to the board
CISO: Cybersecurity Leadership
Cybersecurity Leadership Demystified