The constantly evolving cyber landscape places business leaders in a perilous position when it comes to weighing up the risks and opportunities of using modern communications channels in the workplace. Although information security isn’t traditionally seen as an enabler of innovation, CISOs are now finding themselves under greater pressure to find the optimal balance, rather than just laying down and enforcing the rules.
Today, InfoSec has to contend with the fact that other departments within the organization are more determined to innovate than ever before. Marketing teams want to boost visibility and engage their target audiences on social media. Support personnel want to leverage instant messaging to serve customers more efficiently. Product development departments are tapping into online communities to gather feedback. In other words, technology has become a key enabler of modern business.
Blocking these critical channels on the grounds of security and compliance concerns is to build a wall between business needs and the many new opportunities that can accommodate them. An abundance of caution could be forgiven, given that incidents involving billions of stolen records are hitting the headlines regularly. Many business leaders live in constant fear that they, or their technical partners, will be next.
It’s only normal to view cyber threats as economic disablers and cybersecurity as a necessity that exists for the sole purpose of reducing risk. However, rather than letting cybersecurity amplify the perception of threats facing today’s businesses, CISOs should instead see it as a source of hope; a way to add value throughout the organization. What it all boils down to is the fact that cybersecurity can itself be a competitive advantage that empowers, rather than blocks, innovation.
Cybersecurity Is a Process, and It’s Everyone’s Responsibility
Business leaders need to change the way they view cybersecurity. Instead of a cost burden, they should view it as a competitive differentiator; an integral component of the entire digital transformation process. To get better at their jobs and earn the support of all departments within the organization, CISOs need to convey this by building relationships that help drive innovation and share the duties of information security, privacy, and compliance.
These three things are everyone’s responsibility too. Marketing and customer support teams are at the forefront of a brand’s reputation in an age when a single data breach can undo years of brand-building in one fell swoop. Product development teams can wreak havoc if they accidentally (or intentionally) use unsecured channels that leak intellectual property or trade secrets. This makes every employee across every department responsible for cybersecurity in some way, which is why it’s the job of the modern, connected CISO to educate and enable; not just lay down the ground rules.
While the importance of cybersecurity solutions like firewalls, CASB, and endpoint protection cannot be overstated, it’s also important to remember that cybersecurity as a whole isn’t a destination. It’s not a turn-key solution that can be outsourced in full, and neither is there any such thing as a protection device that can secure the company entirely. Above all, cybersecurity is a journey, a process that combines strong leadership and education with the right tools. Unfortunately, this is also a paradigm shift that might be interpreted as security being a bottomless pit of budgeting whereby companies are pressured to keep investing as much money as they possibly can to improve it.
That’s not how things have to be. CISOs should instead focus on delivering value throughout the organization by being drivers of innovation. By forging closer ties with every department, they’ll be better placed to empower employees to independently assess risks in real-time and take a share in the responsibility to protect the organization. It’s their job to demystify security and, in doing so, transform the perception around it.
The Modern CISO Empowers, Doesn't Just Protect
Traditionally, CISOs were considered protectors, internal regulators who would prohibit the use of certain communication channels and practices that could compromise cybersecurity or compliance. Today, the primary goal of the modern, connected CISO is to reconcile information security with innovation.
For example, when the CMO seeks permission to boost visibility on channels like Facebook, Twitter, and Instagram, the modern CISO doesn’t immediately prohibit it for the sake of risk-management. Instead, he or she finds a way to enable the use of such channels without adding risk to the organization. Given the crucial role of these platforms in the modern business, finding a way to enable them while balancing the risk factor immediately adds value to the entire business. If all they do is say no, the CMO will end up missing out on a significant opportunity to propel business growth. In some cases, employees might even go against the decision of the CISO and start using said channels anyway, which is about the worst thing that can happen when it comes to both security and innovation.
This challenge inevitably raises the question of how CISOs change the image of security from the ‘department of no’ to leading innovators that inspire every facet of the organization to drive growth. Today’s CISOs are relationship-builders with close ties to every department throughout the organization. Their job is to enable and even drive change by garnering a better understanding of the business problem, and not just the technical and administrative challenges around information security. Security by design is, after all, a process enabled by transparency and mutual understanding. That’s why CISOs need to get everyone on board, holding regular meetings with leaders of other departments, such as CMOs, CFOs and CCOs. Once they can achieve that, they’re no longer just protectors, but vanguards with the power, knowledge, and experience to lead change.
Leading through Education, not Prohibition
Most data leaks and breaches are direct results of negligence. This is partly due to the fact that non-experts often still follow the perception that cybersecurity is all about technology and control, and not about best practices that apply to everyone in the organization. Perhaps, the shortage of specialized cybersecurity skills is itself due to fear. Naturally, a core part of the CISO’s job is just the same as it always has been – technical expertise. However, raising awareness to good security habits isn’t rocket science, especially now that the most common threat is social engineering, which exploits human weakness rather than vulnerabilities in technology. Even once you take the technology layer out of the equation, there’s still a whole lot more to protecting digital assets, and that’s where everyone outside the InfoSec department becomes part of the problem and the resolution as well.
CISOs play an increasingly educational role in today’s business by teaching employees how to identify threats and giving them the right tools for the job. In other words, they leverage technical skills and knowledge to enable the responsible use of technology, instead of putting up a barrier to innovation in a world where social media, cloud computing, and mobile devices are all things that modern businesses cannot survive without.
Download our latest whitepaper, "Agents of Change: How Executive Leaders Can Secure New Channels to Drive Business Innovation", to get started.
July 3, 2020