CISOs’ Profile Keeps Rising, But Does Attention Equal Sufficient Support?
Cybersecurity is becoming a cornerstone of organizations’ growth strategies. This puts cybersecurity leaders in the spotlight, with rising influence and rising responsibility, according to Deloitte Global’s fourth Global Future of Cyber report, which was released today.
“Stemming from the climbing number of cyberattacks, the report underlines the growing responsibilities CISOs are having as important allies to their CEOs and boards, particularly as their influence expands across an increasingly tech-savvy C-suite,” Deloitte noted.
Deloitte targeted individuals at the director level or higher, including C-suite executives, in organizations with at least 1,000 employees and $500 million in annual revenue. Nearly 1,200 respondents participated, representing 43 countries and six industries.
Prior research from Deloitte found that cyber was evolving beyond its IT roots and becoming an essential element of the framework to deliver business outcomes. But this year’s report found that cybersecurity is increasingly being integrated into technology transformation activities. The research also reaffirmed the emergence of a more influential chief information security officer (CISO) and more cyber-savvy C-suite.
The Global Future of Cyber found that around one-third of cyber decision-makers reported a significant increase in CISO involvement during strategic conversations about tech-related capabilities in the past year. CISOs are also increasingly in non-tech reporting structures, with 20 percent of respondents saying their CISOs report directly to the CEO rather than a chief information officer or chief technology officer.
Despite senior executives’ growing recognition of the importance of cybersecurity, though, only 52 percent of survey respondents said they are very confident in the C-suite and board’s ability to adequately navigate cybersecurity. Among C-suite respondents who are focused mainly on cybersecurity, only 34 percent are very confident.
Financial support is in decent shape for cybersecurity leaders. More than half of the global respondents surveyed by Deloitte anticipate increasing their cybersecurity budget during the next 12 to 24 months, and 58 percent said they expect to begin integrating their cybersecurity spend with budgets for other programs, such as digital transformation initiatives or cloud investments.
This wider investment underscores how cybersecurity is interwoven into activities and services across the business. Building a connection-driven program helps leaders make more informed strategic decisions that align with business objectives and mitigate cyber risks effectively, the report said. But this means that the CISO role needs to evolve.
Getting support in today’s environment is more than just getting funding, however, says Sharon Chand, cyber risk principal at Deloitte Risk and Financial Advisory. Among U.S. respondents, 41 percent of cyber leaders reported that getting adequate support from their C-suite or board is a barrier to their company’s cybersecurity strategy.
CISOs need to be able to outline the business objectives they want to achieve and ask for the specific support needed to achieve them—this means convincing organizational leaders to invest time, personnel, and insights as much as money, Chand tells Security Management.
“It’s easy to say ‘I need budget to achieve my project objectives,’” she says. “It’s harder to be able to say that these are the business outcomes that I want to drive with my cybersecurity initiative. Here’s why it matters to this part of the business or to this executive, and here’s what I need you to do.”
This involves being able to talk to executives in terms and contexts that will resonate with them, such as connecting a zero-trust initiative to supply chain risks through supplier management concerns. That’s a more effective way to get buy-in that extends beyond simple awareness and into the realm of partnerships and collaboration, Chand adds.
“As the CISO’s voice of influence grows across leadership, and as organizations seek to become more cyber-savvy, we foresee them becoming an essential partner to advise and educate the board of directors and the C-suite on security vulnerabilities, risk scenarios, and actions needed for greater resilience,” the report said. “In the future, the CISO will be expected to not only lead the organization’s overall cyber security strategy, but will also provide strategic guidance, collaborating closely with other C-suite executives to align security initiatives with business goals.”
But CISOs face an uphill climb to confidently and successfully navigate a complex business climate and educate the C-suite about risks. This will necessitate a wave of CISOs with effective executive skills to build coalitions and partnerships, especially when they need to influence decisions around key technology adoption or digital transformation.
“The responsibility for protecting the enterprise will always be there, but now we are seeing an increased need for that CISO to focus on collaboration across his or her executive peers so they have the support and buy-in necessary to go drive this kind of change,” Chand says. “So, while the technical skills are going to be needed so the CISO can, you know, speak the language of her team and stay relevant to the threats that are evolving in the marketplace, she also has to understand the business, what the business’s priorities are, and how to best enact change across the enterprise.”
For security leaders looking to build out their influence in these cross-department, strategic efforts, Chand frames the areas for improvement into three dimensions: time, talent, and relationships.
Time. For CISOs to be able to play more strategic roles in the organization, they must be able to prioritize their limited time around building relationships, protecting the enterprise, and setting strategy for the future.
Talent. When it comes to talent, CISOs should evaluate if they have the talent on their team to support them across different initiatives. “If it’s a manufacturing heavy company, do you have that type of talent on your team? Do you have leaders that you can delegate day-to-day security operations responsibility to, so that the CISO isn’t firefighting?” Chand asks.
Relationships. Cybersecurity leaders need to carefully evaluate who their key partners should be across the organization, whether that’s a chief risk officer, operations officer, or supply chain officer. Those relationships are crucial when it comes to building resilience, Chand tells Security Management.
“Resilience is a question of what is most important to the business—what do I need to recover first? What are the business priorities that I need to focus on? Is it my manufacturing line? Is it my payroll? Is it my supply chain? That has to come from a cooperation with the C-suite leaders, chief operating officers, chief financial officers, helping to set those business priorities and enable your CISO to be resilient and effectively respond to events,” she adds.