Maksim Kabakou - Fotolia

Security Think Tank: Reframing CISO-boardroom relations

Security learning is a career-long process, so as 2021 draws to a close, participants in the Computer Weekly Security Think Tank sum up the most important cyber lessons they’ve taken away from the past 12 months

The year 2021 was touted as a time to step back and review decisions that organisations had made in haste at a time of crisis that materially impacted their risk profile. The events of 2020 saw a major upheaval in the business landscape around the globe, placing high expectations on information security teams to protect organisations’ information, while enabling a disorientated remote workforce to continue business operations securely.

To accommodate new business requirements, digital transformation plans were accelerated, new technologies were adopted with minimal due diligence, and temporary measures were put in place to limit disruption to the supply chain. It was inevitable that the speed of those changes would introduce opportunity for risk.

Ideally, organisations would have moved from responding and adjusting to the global pandemic, to a new era of resuming “normal” operations that would allow business to get back in control and look to the future. But disruption did not wane as governments worldwide continued to yo-yo between lockdowns, partial lockdowns and easing of restrictions, cementing hybrid working as a permanent fixture – perhaps the only certainty for chief information security officers (CISOs) and their teams.

This serves to highlight a lesson for risk and security practitioners – the speed of digital business, coupled with an uncertain world, means we can never truly be in complete control of risk. We must continue to rethink how we work with business to maintain information risk within acceptable, but dynamically changing, levels of tolerance.

Information security practitioners need to be nimble, conciliatory and creative to keep pace with the rate of digital transformation, business innovation and the constant flux in working arrangements. Planning for normality is futile – expecting the unknown will enable both parties to deliver a rapid response that is more informed and assured.

For many CISOs, the pandemic meant they suddenly had the ear of the board and secured long-awaited investment to implement high-priority initiatives that met business demands. As threats morph, regulatory requirements tighten and attackers become more stealthy in their tactics, ongoing management of this business relationship is vital.

So, 2021 should be remembered as the year when CISOs and boards started to reframe their relationship beyond emergency, high-tempo demands with a view to embedding deeper, more functional collaboration. As ever, this requires the CISO to understand board-level concerns and priorities, and how that translates to protecting the organisation’s information assets and technical infrastructure. This business view needs to be as holistic as possible to cover the organisation’s operating processes, strategy, revenue streams, customers, suppliers, partners, premises, and so much more.

Conversely, the board must acknowledge how important cyber risk is to business outcomes and pull its weight when it comes to owning the accountability for its management. The C-suite may be more tech-savvy than ever before, but continuous technological developments and more intricate threat scenarios means its knowledge quickly becomes out of date if CISOs are not providing them with the necessary support.

Ultimately, the responsibility for security decisions is vested in the CEO, while it is the CISO’s role to influence and inform. Pitched at the right level and conciliatory in tone, this close engagement will enable information security teams to react in real time – not just to evolving threats, but also to a shifting operating environment that is dictated by external pressures outside an organisation’s control.

Security Think Tank Christmas special: 2021 in cyber

Read more on IT risk management

Data Center
Data Management