15 Sep 2021 | 08.26 am
How CISOs Can Play A More Strategic Role
Insight from EY's Carol Muprhy
15 Sep 2021 | 08.26 am
Chief information security officers (CISOs) need to build closer relationships with finance, HR, and marketing teams in their business, writes EY’s Carol Murphy
Irish cybersecurity functions are underfunded. More than half of the respondents to the EY Ireland Global Information Security Survey 2021 said it is just a matter of time until they suffer a major breach that could have been avoided had their organisations invested more wisely in cybersecurity.
This lack of funding is not merely due to a paucity of resources. It reflects a lack of appreciation at boardroom level for the scale and nature of the threat posed by cyber criminals. It also demonstrates the absence of a cybersecurity voice in key strategy conversations.
The question for Irish chief information security officers (CISOs) is how they can address the funding issue by playing a greater strategic role in their organisations.
The first step is to move the boardroom discussion away from numbers. If cybersecurity is just another budget line item, it will always be reviewed with an eye to cuts.
However, if the discussion is about the value of the assets being protected, the tenor and outcome will be very different. The numbers will centre on potential loss rather than expenditure and the fight for resources will be easier to win.
To achieve that outcome CISOs need to build closer relationships with other key stakeholders in the business including finance, HR, and marketing teams. Their support will be critical when cybersecurity comes up for discussion at board and C-suite levels.
It’s all about relationships
A significant proportion (44%) of Irish CISOs say they have a poor relationship with their organisation’s business heads. At the same time, a high proportion (48% and 42%, respectively) admit to having very poor relation relationships with HR and marketing functions. Those poor relationships can only hamper CISOs in carrying out their functions.
CISOs have usually had years of technical and leadership experience, but the type of decisions that they make often go beyond technical considerations and require much broader working relationships.
The CISO should aspire to align to the objectives of business stakeholder groups and work to develop strong professional working chemistry.
Becoming a business enabler should be the goal of the CISO. However, conflicting points of view and natural tension between roles are an important part of business and should not prevent CISOs from working collaboratively to solve problems and meet business goals.
Trust is fundamental for a CISO to promote, especially where true mutual value is derived. It is built over time and is based on shared, mutually beneficial experiences. This can, however, be difficult, given that studies show that the job tenure for most CISOs is typically between two and four years.
Five steps to long-term value
CISOs must demonstrate the ability of cybersecurity to add long-term value across the organisation. This begins with finance and the reduction of the risk of the organisation suffering a devastating cyberattack or fine for data or privacy breaches.
A CISO should be a builder and disruptor, bringing innovative solutions in a measured and proportionate manner. Innovative approaches to security automation will be an essential tool in a CISO’s arsenal.
The five steps Irish CISOs can take to build better relationships with the board, business heads, HR and marketing functions are:
• Set expectations for how you are going to interface with the business and provide an open channel for security guidance.
• Ensure alignment to core business goals and objectives; assess business stakeholders’ satisfaction with the performance and delivery of security services.
• Be clear on your objectives as a builder and a disruptor, specifically how much security innovation you will bring to the business. And, how you will maintain and improve the existing security posture.
• Communicate the risk to gain support from executive leadership and seek to quantify risk in financial terms where possible.
• Let the business know they own the risk. Educate the business about risk so they can make informed decisions.
By taking these steps CISOs can achieve a fundamental change in their standing within their organisations and ensure they are consulted earlier, receive adequate resources, and become viewed as value adding rather than cost increasing.
• Carol Murphy (pictured) is EY Ireland’s Consulting Partner and Head of Technology Risk