It’s time for CISOs to have a seat at the table

In recognition that security is now (quite rightly) a top-line budget line item, CISOs are signalled to take their rightful place at the business decision-makers’ table. And this is a move that’s come down right from the top, with the Australian Government’s first-ever appointment of a Minister for Cyber Security in June 2022.

So, why is this appointment important, and why does it translate to a change in the traditional business table line-up?

An Australian first

Until now, cybersecurity has never had its own portfolio in the Australian cabinet. And no other government in the G20 (Group of Twenty), an intergovernmental forum comprising 19 countries and the European Union (EU), has a dedicated minister for cybersecurity.

With a reported 13% increase in cybercrime in the 2020-21 financial year (vs 2019-20), it’s a timely move, explains The Conversation: “With some 67,500 reports, that’s one incident reported nearly every eight minutes. Self-reported losses totalled more than A$33 billion, with more than a quarter of the incidents associated with critical infrastructure. Year to year, these numbers are on the rise. The growth in cybersecurity budgets over the past few years has signalled how seriously Australia is taking this. Allocated funds grew from $230 million in 2016, to $1.67 billion in 2020, to $9.9 billion in this year’s budget to implement the REDSPICE program.”

That breathtaking $9.9 billion budget (to be spent over ten years) is slated to make Australia a key ‘offensive’ cyber player. It will be invested in the REDSPICE (resilience, effects, defence, space, intelligence, cyber and enablers) program, which is designed to grow and enhance the intelligence and cyber capabilities of the Australian Signals Directorate.

While there are still discussions to be had about how the government will take the ‘offensive’ to counter global cybercrime, this level of commitment, along with recent legislation changes impacting critical infrastructure discussed in our previous blog, most definitely herald a new age for the CISO.

Cybersecurity as a business risk

While CISOs have long understood the importance of their role in the organisations they strive to protect, the Australian Government’s endeavours have further validated the value they bring to the table.

And Gartner agrees, saying the cybersecurity leader’s role needs to be reframed.

To quote their February 2022 article: “The role of cybersecurity leader needs to evolve, as accountability for cyber risk shifts outside IT and an increasingly distributed ecosystem leads to a loss of direct decision-making control.” And Sam Olyaei, research director at Gartner, says, “The CISO role must evolve from being the “de facto” accountable person for treating cyber risks, to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions.”

Why are they saying this?

According to a recent Gartner survey, 88% of boards now regard cybersecurity as a business risk rather than solely a technical IT problem. (And 13% have directly responded to this realignment by setting up cybersecurity-specific board committees headed by a dedicated director.)

Gartner also predicts that at least half of C-level exes can look forward to employment contracts which feature performance requirements related to cybersecurity risk. This, of course, will affect those information risk decisions which are increasingly being made out of sight of the watchful eyes of IT and security. With new levels of contractual accountability for those decisions, Gartner expects to see “an inevitable shift in formal accountability to business leaders who are responsible to the CEO for delivering strategic objectives, such as revenue and customer satisfaction.”

All of this means that as the business takes on more responsibility for cyber risk, the role of the CISO must – and will change.

So, what’s going to change for the CISO?

Instead of the CISO being responsible for preventing breaches, Gartner says the role will be reframed to facilitate risk management. Cyber risk will no longer be deemed ‘security’s problem’ but rightly regarded as a business/organisational risk. And rather than security posing a roadblock to speed, it will enable more secure and agile products.

Quite a change in mindset and approach. But, where to start?

At the 2022 Gartner Security & Risk Management Summit, Gartner shared their top 8 cybersecurity predictions for 2022-23 prepared by their cybersecurity experts, and their recommendations for the next two years as to which matter the most.

A starting point security recommendation from Gartner is to embrace zero trust. And with 60% of organisations planning to do just this by 2025, you’d be in good company. However, warns Gartner, more than half of those who adopt zero trust will fail to realise the benefits, saying: “…zero trust is both a security principle and an organisational vision, it requires a cultural shift and clear communication that ties it to business outcomes to achieve the benefits.”

And without reframing the role of the CISO and clearing that place at the table, it would be easy to miss the trust mark if they’re not empowered to make the other changes needed for success.

Zero trust, maximum benefits

Given that Gartner called out zero trust, and it’s an organisational risk – not just a ‘security problem’, let’s look at it more closely. Zero trust is a network security philosophy that states that no one inside or outside the network should be trusted unless their identification has been thoroughly checked.

So, it operates on the assumption that threats (from both outside and inside the network) are ever-present.  Zero trust also assumes that every attempt to access the network or an application is a threat.

While these assumptions inform the thinking of network administrators, compelling them to design stringent, trustless security measures, the buck stops with the CISO. Without the right foundational tools and controls to work across the business architecture, and the top-down backing to enforce strict identity verification and other policies, the job’s not done.

The move to a single vendor SSE platform

Another critical strategic planning assumption that Gartner recommends CISOs build into their security strategies for the next two years is unifying web, cloud services and private application access via a single vendor’s security service edge (SSE) platform.

In fact, Gartner says that by 2025, 80% of enterprises will do exactly that.

As organisations undergo digital acceleration, their attack surface expands and network complexity increases. Simultaneously, cyber threats are becoming increasingly automated, sophisticated, and innovative. For today’s CISOs to deliver the expected secure, high-performing user-to-application connection, they need to look to cybersecurity mesh architecture (CSMA). Which is incidentally another of Gartner’s top strategic technology trends for 2022.

And with the carrot of a 90% reduction in financial losses from cybersecurity attacks, it’s small wonder that CSMA platforms like ours are becoming a strategic imperative for business, not just a decision made away from the table.

Welcome to the table, CISO

The Conference Board C-Suite Outlook Report 2022: Reset and Reimagine, says that while over 40% of CEOs globally feel their organisations are well prepared for a major crisis like a pandemic, financial instability or an economic downturn, less than 40% say they’re well prepared to meet the challenges posed by a major crisis related to inflation, cybersecurity, supply chain disruptions, or climate change.

Even more reason for reframing the role of the CISO and clearing that place at the table.