Here are three areas of renewed focus that Chief Information Security Officers can master in order to revolve and evolve pertinently
As cyber threats have grown in intensity and sophistication, cybersecurity has become a more strategic business priority and is no longer the sole responsibility of the CISO’s office; it has become a broader corporate responsibility.
Due to this corporate focus on cybersecurity, many organizations’ security functions have changed dramatically in recent years. Security departments used to be completely separate and were often perceived as an obstacle to new initiatives. Now, this is unthinkable due to the pace of modern business. CISOs have had to evolve in their role to become transformational leaders who can empower the business and drive innovation.
Their previous role of safeguarding an organization against cyber threats and reducing potential risks has expanded to become more strategic and influential. Their performance is now measured by whether the business suffers losses because of a data breach, but also by how security preempts new initiatives and makes it possible to launch new services and applications to market faster. They are increasingly facilitating digital transformation projects with Zero Trust frameworks where secure identity is seen as a continuous process and an essential building block.
Advice to today’s CISOs CISOs’ work has become incredibly challenging as they are pulled in many different directions. Consequently, experienced CISOs are now being rewarded better, are even more respected in their organizations, and often have a seat on the board.
The best advice I can give up-and-coming CISOs is to stay educated and compliant with ongoing cyber regulations, and ensure they are valued as much as they should be. The following are some aspects to keep tabs on:
- Regulatory compliance
As more businesses become digital centric, the CISO must be aware of the evolving regulatory and compliance landscape and data privacy and security implications, including a host of evolving regulations that affect the cybersecurity industry, including, where applicable, the Payment Card Industry Data Security Standard (PCI DSS), the Online Safety Act of 2021 and the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SOCI). - Identity-driven security
Many key ingredients needed to implement zero trust security are already at a CISO’s disposal. These include identity and access governance, authentication, authorization and privileged access management. There are clear links between traditional identity and zero trust. In the expanding corporate perimeters of work-from-anywhere policies, proactive CISOs can look forward to the myriad benefits of implementing identity-driven security across the organization.
CISOs must ask themselves: What is the value of the company’s business data for stakeholders? Who may want that information, and what value does it have for them? Are passwords still relevant for identity-driven digital economies? Can we do better with a passwordless future that is highly secure, easy to implement and easy to use? - Modernization of authentication
The industry is on the cusp of replacing passwords and legacy Multi-factor Authentication methods with modern open authentication protocols such as FIDO2. This will enable widespread adoption of phishing-resistant and easy-to-use modern identity authentication solutions such as hardware security keys that are secure and easy to use, deploy and manage.
Ultimately, this will help CISOs eradicate an entire class of issues that have long been associated with passwords. Implementing passwordless practices will help mitigate cyber risks and allow CISOs to spend more time on strategic projects. The shift away from passwords will also enable security teams to be proactive rather than reactive in their work.
Continual education is key
The best way to mitigate cyber risks is to roll out end to end cyber-safety practices and continual training in an organization. So, the role of the CISO is to engage and educate people at all levels on the importance of cyber hygiene.
Visible and continuous emphasis on user education is essential, as people have been used to the old ways for too long. Organizations will therefore need to put significant efforts into raising awareness, as they do with any digital transformation project, so employees can feel comfortable with the zero trust way of identity authentication.