For a CISO, cybersecurity begins with a business strategy – and everybody’s buy-in

Today’s columnist, Nasrin Rezai of Verizon, writes about how CISOs have to get comfortable talking to top management and get everyone in the organization to focus on security. (CC BY 2.0)

For cybersecurity leaders across the world, 2020 has been a lightning rod of security challenges. Widespread public attention to the COVID-19 pandemic and governmental policy responses have given phishing and robocall scammers new attack opportunities. Meanwhile, the rapid shift to remote work and school and acceleration of ecommerce have forced many cybersecurity leaders to pivot toward safeguarding our geographically-distributed organizations against a growing number and type of threats. For many cybersecurity teams, threat detection and response activities have become the standard operating model in a resource-constrained organization facing ever-growing threats. 

As businesses look forward to 2021 and employees and consumers adjust to the new normal, there’ a simple formula for a CISO wanting to break the cycle of reactivity: Lean into the business. This means building trust with leadership, getting comfortable communicating in the boardroom and developing a thorough understanding of the overall business strategy, its operations and the unique risks faced by individual business units. Be at the table early with top stakeholders with a vision, mission and a strategy for security that shows how an investment in preventative security delivers value. And, be proactive in managing risks and leading change.

Security touches processes, products, and customers

Simply put, business strategy revolves around making choices. Businesses need to manage finite resources among competing opportunities and demands. Choices about geographies, product categories, customer segments and channels each drive choices about cybersecurity strategy and programming. For example, the choice to sell to the U.S. government entails specific security requirements and regulatory obligations; the choice to leverage unique intellectual property as a differentiator has its own cybersecurity needs for protecting that IP. As a proactive partner to the business, a CISO can map these choices to a security framework with defined goals and operations focused on prevention and risk management.

CISOs can also ensure that cybersecurity gets built into every facet of the business ecosystem, including systems, networks, products, business processes and even people. By taking a security-by-design approach and working with the stakeholders to proactively build security in from day one (versus reactively bolting it on or implementing quick fixes as changes arise), organizations can capitalize on the benefits of digital transformation and reduce costs, all while improving their security posture and resilience.

Added benefits to this approach are an improved customer experience and brand strength. Customers and prospects have multiple interactions with a company throughout their lifetime, via multiple channels. Working closely with the relevant marketing and ops leads, cybersecurity leaders should strive to create an omnichannel customer experience that’s consistently secure. For every customer touchpoint, CISOs need to ask several questions: How do we reduce the risk of fraud or theft for both the company and the customer? For companies with a public-facing retail or support workforce, what kind of training will they need to ensure that every interaction a customer has with the business is secure? Are existing high-friction controls driving poor compliance or circumvention attempts? What education can we offer to the customer to improve his or her own cyber hygiene and reduce the risk?

Security is everybody’s responsibility

Security and risk management requires a team effort and everyone has to buy-in. That’s why I believe in the power of reframing the issue in a simplified, positive way for both technical and non-technical employees.

Think of security in terms of personal health choices and routines. Visit the dentist, update passwords. Get a vision test, check social media privacy settings. Eat five fruits and vegetables a day, choose a difficult-to-guess passphrase. Encourage employees to take care of their “digital selves” like they do for their physical selves.

People might think of  “leading through change” as the business catchphrase of the year for 2020, but it’s been an unprecedented, eventful year that has challenged all of us to level-up in leadership. CISOs face a new and growing set of risks for 2021 as offices remain closed and customers adapt to new ways of working and living. As the “risk expert” at the table, it’s the CISO’s responsibility to get out in front of the risks and changes on the horizon. Get familiar with them, experiment with different approaches and have a plan for when they arise.

Nasrin Rezai, chief information security officer, Verizon

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.