Besides what the CIO, CDO and CISO are doing, what is the CFO’s and CHRO’s role in building the right foundations for cybersecurity in the organization?

In the US and EU, many organizations implement security with the primary purpose of complying with regulations. Such a checkbox-based approach is unfortunate because it leads to organizations that are fundamentally less secure.

In Asia, where regulatory oversight is generally lower, CIOs/CISOs have lesser urge to take such a route.

How is this a blessing in disguise, and how does it allow other C-suite executives to be more involved in a more holistic manner in an organization’s cybersecurity? And how does AI come into play?

CybersecAsia finds out more from Terry Ray, Data Security CTO and Fellow, Imperva.

The US and European Union may be more mature than Asia in terms of data-related regulations, but why is that not necessarily a bad thing for Asia Pacific organizations?

Ray: In highly regulated US and EU countries, many organizations implement security measures primarily to comply with regulations like GDPR. These regulations emphasize a proactive approach to cybersecurity, advocating for the integration of security measures into the design and development of systems, processes, and products from the outset rather than as an afterthought.

Terry Ray, Data Security CTO and Fellow, Imperva

However, due to factors like resource constraints or lack of expertise, many organizations often prioritize meeting compliance requirements over developing long-term, strategic security measures. This superficial, checkbox-based approach is not optimal for security because it discourages organizations from considering security from the ground up, and from establishing the right foundations to build upon over time as business needs change and cyber threats evolve.

It is precisely this latter approach that ultimately enables organizations to have a much stronger security posture, as opposed to one created piecemeal by CISOs/CIOs trying to meet different regulations at various times.

Elements of a strong cybersecurity foundation include building a strong security culture, implementing employee training, conducting risk assessments, and orchestrating responses based on those assessments’ findings, continuously monitoring network traffic, and diligently updating software and systems.

In what ways can organizations in Asia Pacific pay more attention to cybersecurity and data protection beyond mere regulatory compliance?

Ray: Many organizations today face the challenge of having data and operations spread across cloud, on-premise, and hybrid systems. As a result, it is difficult for security teams to have constant, comprehensive visibility into where their data is, what types of data they have, and the potential risks to that data.

Organizations thus miss data risk insights and specialized context, such as a risk profile that changes as an organization evolves, for instance, through an acquisition. This makes it nearly impossible for security teams to prioritize incident response and minimize risk to the organization.

Organizations need to change how they approach data security. They need a deeper and more comprehensive understanding of where risk resides in their environment so that security teams can prioritize incident response more confidently for maximum efficiency and resource optimization. Executives will also be able to better understand their organization’s data risk coverage. Beyond protecting data from breaches, APAC organizations can emphasize ethical data management and privacy-by-design principles. This involves assessing customer data collection, usage, and sharing, ensuring transparency, and respecting customer consent. Such a commitment to privacy can build trust with clients, especially in data-sensitive industries.

What are the key elements of a strong cybersecurity foundation?

Ray: Data is the foundation of businesses, so robust cybersecurity for the enterprise starts with robust data security. When protecting data, the four tenets are:

  • Confidentiality: Ensuring sensitive data is only accessible to those who actually need it and are permitted to access it according to organizational policies while restricting access for others.
  • Integrity: Ensuring data and systems are not modified due to actions by threat actors or accidental modifications. Measures should be taken to prevent corruption or loss of sensitive data and to quickly recover from such an event if it occurs.
  • Availability: Ensuring data and systems are accessible when needed, without downtime or interruptions, to support business operations and decision-making. Measures such as redundancy and disaster recovery planning can help achieve this.
  • Auditability: Ensuring that organizations maintain clear and detailed audit trails of how sensitive data is handled. In the event of a data breach, auditability enables an organization to demonstrate its efforts to secure sensitive data and provide logs and records proving that no sensitive information was exposed or stolen. This not only supports regulatory compliance but also fosters trust by showcasing accountability and transparency in data protection practices.

Beyond data, other essential components of a strong security foundation include a pervasive security culture, a clear understanding of the risks facing the organization, and constant vigilance.  

While CIOs, CDOs and CISOs put in place the relevant data security infrastructure, policies and practices, what roles do non-technology C-suite executives such as the CFO and CHRO play in building such a foundation?

Ray: Organizations must embed cybersecurity into their corporate culture rather than treat it as a compliance checkbox. This involves fostering vigilance in employees’ professional and personal digital practices, and implementing ongoing cybersecurity training at all levels.

A security-focused culture relies on continuous education about threats like phishing and social engineering, and the adoption of strong access controls such as passkeys. This effort should span the entire employee lifecycle, fostering vigilance and awareness at every stage. CHROs play a pivotal role in driving this transformation by championing training programs and embedding security awareness into the organization’s core values and daily operations.

Beyond training, CHROs can strengthen security by:

  • Policy development and enforcement: Creating and enforcing guidelines on acceptable use, remote work security, and incident response.
  • Access management: Implementing the principle of least privilege to ensure employees only access information necessary for their roles. By taking the lead on these fronts, CHROs can fortify the human element of cybersecurity, transforming employees into the first line of defense.

CFOs, on the other hand, play a crucial role in enhancing organizational cybersecurity by leveraging their expertise in risk management and financial oversight. Here are several ways they can contribute:

  • Separation of duties: In the highly targeted Financial Services and Insurance (FSI) sector, leading institutions like FSISAC recommend that CISOs report directly to CFOs instead of CIOs. This separation of duties eliminates potential conflicts, as CIOs must balance business demands with security needs. CFOs, as fiduciaries, bring a risk-focused perspective, often supported by legal and risk teams, enabling CISOs to build more robust cybersecurity strategies. Other industries are increasingly adopting this model.
  • Risk assessment and prioritization: CFOs can work closely with CISOs to identify and prioritize cyber threats based on their potential financial impact. This helps ensure that resources are allocated effectively to mitigate the most significant risks.
  • Budgeting and investment: By understanding the financial implications of cyber threats, CFOs can advocate for appropriate cybersecurity budgets.
  • Communication and reporting: CFOs can translate complex cybersecurity risks into financial terms that resonate with stakeholders, including the board of directors. They also ensure compliance with regulatory requirements, such as reporting significant cybersecurity incidents to relevant authorities.

In what ways is AI already – and potentially – transforming data security?

Ray: Pivotal drivers for AI integration in security tools include content creation, behavior prediction, and knowledge articulation. Organizations can optimize these use cases to streamline tasks, anticipate privacy risks, and create chatbots to enhance customer experience and drive workload efficiency. Integrating generative AI into security operations more widely enables security and IT teams to focus on innovation and scaling operations.

AI is also improving productivity and threat recognition capabilities. Security teams are often burdened by repetitive and time-consuming tasks like monitoring network traffic and reviewing security logs. Generative AI can automate many of these activities, giving security professionals more time to perform strategic work, such as rebuffing new attack tactics.

Most importantly, generative AI removes the need for direct human intervention and enables real-time responses to attacks, which can mean the difference between a minor incident and a major data breach.