For far too many enterprises, leveraging technology to deliver business outcomes is more frustrating than it needs to be. While what follows is more applicable to large organisations, its message can also benefit thinking and approaches at the mid-market level.
“Boards are having the wrong conversations about cyber security,” a feature on Harvest Business Review from earlier this year declared.
“Our research shows that despite investments of time and money, most directors (65%) still believe their organisations are at risk of a material cyberattack within the next 12 months, and almost half believe they are unprepared to cope with a targeted attack. Unfortunately, this growing awareness of cyber risk is not driving better preparedness,” the article noted.
The problem is that cyber security is often seen in reactionary terms: It’s something that you invest in because regulation requires it or because you’re afraid of the material risks of a breach, and the cost to the business for failing to meet those standards or being breached is extreme.
The right way to think about cyber security is as a strategic asset. To do that, organisations need to adjust their thinking about how they engage with it – and technology – across the business.
- The CISO needs to be talking to the board.
On the list of executives that regularly interact with the board, the CEO, CFO, and COO will typically get plenty of facetime. The CIO, as well, in organisations that aim to present themselves as innovators.
The CISO is often overlooked, and this creates problems.
The more nebulous the board’s view of cyber security, the greater the risk they’ll attach to their perspective on it. As the HBR article noted, while 65% of board members believe the business is at risk in the event of an attack, only 48% of CISOs – the people closest to the risk – are.
Company Directors are required to be risk-averse, and in the absence of information, they are likely to ascribe a greater level of risk to something. For CISOs to give them the confidence that the risk is being managed and that business-building outcomes through technology can be delivered safely, they need to make sure that they’re communicating effectively and frequently with the board in the first instance.
- The focus needs to be on outcomes, not technology.
Fewer than half of Company Directors have a technical background. For that matter, CEOs are more likely to have finance or operations backgrounds than anything technical. Talking technology with people at this level isn’t going to achieve much.
What will work, however, is highlighting outcomes and, particularly, the benefits of having a resilient technology environment. Organisations that can shift data and applications into the cloud, capitalise on IoT and Edge deployments, and continue to refine the ability to work remotely are all business benefits that have a real benefit and ROI number attached to them.
By pointing to productivity gains, opportunities for new revenue streams, a better customer experience and the ability to access a broader range of talent, the CISO can calibrate the conversation on cyber security away from tech and specs and towards what cyber security delivers to the organisation. In doing that, the CISO will be in a stronger position to advocate for budgets and projects.
The CISO needs to be both technical and, dare we say it, enthusiastic about the potential transformative possibilities of technology for the business and its customers. The CISO can’t be a blocker, so worried or scrupulous about security that they stop progress, they must be an enabler. If they are, then this person needs to be present at these high-level discussions.
Cyber security and business resilience are board-level discussion points. Too often, in the absence of better guidance, the decision will be to “lock the gate and throw away the key,” and the board will inhibit the ability of the organisation to leverage technology in pursuit of a “watertight” security environment that is unachievable. By being better engaged at the executive and board level, the CISO can instead highlight the value of resilience and preparedness, presenting a best practice approach to cyber security that is focused on adding value to the business.