Originally Posted by Forbes – via forbes.com – October 5, 2020
CTO and Head of Engineering at Arceo helping firms become cyber-resilient through smarter insurance products & dynamic security solutions.
As the cybersecurity threat landscape continues to intensify, it’s surprising to see most companies still marching forward with the belief that security belongs exclusively in the hands of chief information security officers (CISOs).
Now more than ever, companies need to think about security holistically across all aspects of the business — from people processes to continuity planning. And we as a community of tech leaders need to continue to help our organizations — despite size or industry — address this problem and think bigger.
Security Affects Everything
Security has been playing an increasingly essential role across all parts of businesses — from finance to HR to operations management — for a while. In the last few years, the cost of security failure has not only increased, but it has also become more likely.
Our company recently collected one of the first sets of quantitative data on how the priorities of CISOs have changed since the start of the world moving to work from home due to Covid-19. Together with our research partner, Wakefield, we surveyed 250 CISOs and found that even before people were working from home, nearly half of all CISOs (48%) reported having experienced a security breach. That’s a lot of breaches — a number I expect will only increase as workplaces continue to carry on remotely.
In today’s environment, hospitals and healthcare facilities have been especially targeted. According to CISO Magazine, more than 40% of healthcare providers stated that they were planning to enhance their cybersecurity measures this year. While we fight the global pandemic, it’s especially important for security leaders to adapt to the changing threat landscape.
Because breaches are inevitable, the security and risk management decisions that CISOs need to make are less about finding budget internally and more about leveling the conversation between teams to create solutions.
Companies with empowered security leaders have transitioned from the mindset of “How do we think about the security properties of IT?” to “How does my whole organization become secure?”
Working From Home Brings New Risks
Now more than ever, employees are at risk. In the work-from-home environment created by the Covid-19 pandemic, employees’ company devices regularly reside in places far beyond the four walls of the office. Because the IT boundary has eroded, it’s no longer feasible for just one company leader to exclusively oversee the information security properties of the company’s internal network.
Compounding this issue, security leaders may be facing reduced budgets while shifting priorities to support current needs for remote work. McKinsey found that more than 70% of CISOs and security buyers believe budgets will shrink by the end of 2020 but plan to ask for significant increases in 2021.
Now, the home networks and infrastructure of each employee need to be taken into consideration. If companies shift to a BYOD (bring your own device) model, security requirements must be in place for personal assets as well. In the aforementioned survey conducted by our company of 250 CISOs at companies with $250 million to $2 billion in annual revenue, 96% of CISOs said they want additional coverage for vulnerabilities resulting from the work-from-home surge.
Security isn’t just hackers in the network — are your employees safe and secure in their homes? Are their doors locked? As the perimeter risk becomes more broad, questions like these require a response.
Call to Action
Modern companies need to make sure that their management structure holds security at the level where it belongs. For example, most CISOs report having unmet needs for cybersecurity insurance. Almost 4 in 5 (77%) CISOs identified incidents they feel they need coverage for but report being unable to get it. This needs to be addressed by both management and insurance providers.
The following steps can help CISOs and cybersecurity operations teams prevent security from living in a silo:
1. First, executives need to make sure that those in charge of security are able to have direct lines to all ends of the business. The reporting structure of the CISO is less important than the ability of the CISO to interact with the board and company leaders. Similar to HR or finance execs, the leader of security provides a service that benefits the entire organization, so it’s vital that the reporting structure allows for this. Companies must consider how they can open the chain of command.
2. Once this structure is established, it’s important that CISOs take an active role in educating the board and all parts of the organization in how the company will bounce back from attacks. This might look like reporting directly to the board of directors, becoming a part of the C-suite or scheduling quarterly presentations. Everyone, including the C-suite and board, needs to be well-trained in the event a breach occurs.
3. Lastly, fostering adaptability and resilience related to security across organizations will be key. Companies that educate their teams on the latest threats will be poised for success. Those who succeed at this will stand out and eventually become the norm.
Covid-19 has changed the infrastructure of businesses faster than any recent event in the past, and it is time that security leaders are elevated to a position where they can lead companies forward in this new normal.