The cybersecurity industry and its practitioners have traditionally been technically savvy and laser-focused on technology tools and solutions. This worked effectively when the whole enterprise, all its data and all its people, were safely housed in a corporate office and on the corporate network, and it wasn’t as necessary to assess and balance risk. However, that paradigm was already starting to shift with digital transformation prior to 2020, and now the COVID-19 crisis has blown it out of the water.
For the first time in modern business, CISOs can no longer operate within the tight controls of their security program. Massive remote working has introduced the unmanaged security risks of the home work environment. At the same time, attackers are ramping up malicious activity – phishing attacks are up more than 667% in the first half of this year. The cost of a data breach today can be astronomical for businesses – an average of US$3.92 million. For organizations, this cost can vary depending on how quickly they discover and respond to a breach. And it can include not only significant fines but also lost revenue, brand trust, and IP that can irrevocably impact an organization’s competitive advantage.
All of this makes it more critical than ever that the cybersecurity warriors inside your company understand how your business operates in order to understand how best to protect it. Forcepoint’s recent WSJ CEO/CISO survey, The C-Suite Report: The Current and Future State of Cybersecurity, underlines this point: 63% of cybersecurity “leaders” report that a lack of common vocabulary between CEOs and CISOs can make identifying top organizational priorities difficult, and 53% say it makes technical decisions more challenging. It’s also telling that twice as many leader organizations report that their Board of Directors recognize that cybersecurity is critical, and are fully engaged with it as part of a key business strategy.
As CISO of Comcast, I saw the opportunities presented by having security strategy more connected and integrated into the business so I created a new role of business information security officer (BISO). The security professionals in this role developed relationships with business unit leaders in order to better understand the goals of the business unit, and what it would need to protect and achieve in order to be successful.
Our BISOs not only had to be versed in the latest cybersecurity threats and technologies, but also had to be great communicators and fast learners. If they weren’t when they started the role, they soon became up to speed on business principles and terminology. I fast-tracked this learning by embedding them within the business units for “tours of duty” lasting several months. I also offered opportunities such as additional education to help them develop their business acumen. This benefited not only the enterprise, but the individuals’ career growth. It all helped to open their eyes to business needs and perspectives and make them more well-rounded employees and executives. The flipside can also be valuable: technically savvy business-side workers can be stationed temporarily in the security organization in order to expand their perspective and knowledge. Cross-pollination across all levels can only increase understanding and help security better understand what’s at stake.
I’m thrilled to continue this approach to cultivating business skills among Forcepoint’s own security teams with similar cross-functional engagements. The most successful security leaders I know have worked in operational roles – managing teams with responsibility to the business and line of sight into P&Ls. I think it’s because they have a sense of why we’re securing the business. In other words, they understand the business goal. Because if you don’t understand what you’re securing from a business perspective, how can you make the correct risk-based analysis? It’s the “so what” that's behind what we’re doing.