Chief Information Security Officers (CISOs) have a key role to play in safeguarding the data increasingly stored in the cloud and mitigating cybersecurity threats, while also ensuring compliance with IT regulations, standards, and policies
The cloud is increasingly becoming the ideal environment for business leaders to grow and operate. With fast speeds and customer-centric characteristics like zero downtime, instant cross channel functionality deployment, and real-time performance management, it is an obvious choice for businesses looking for newer, more flexible and faster systems of engagement with customers.
However, in this evolving digital world, it only takes one successful cyber-attack, like a phishing email, to bring an organisation’s website to its knees in minutes. Added to that, recent events have proven it can be nearly impossible to get back up again efficiently and effectively, jeopardising hard-earned reputation with customers.
To fight against external cybersecurity issues, chief information security officers (CISOs) must ensure that cloud and cybersecurity risks remain on the agenda with business leaders, boards and executives. Although most executives understand that a risk management-focused cybersecurity model is crucial, many do not view the cloud or cybersecurity as an organisational issue but instead compartmentalise them as more of a compliance or IT checklist issue.
This simplification puts a strain on the CISO’s role and with all these new complexities thrown into the picture, how can CISOs ensure the cloud and cybersecurity are taken care of and well regulated? The following points are the top areas of focus for a CISO in the modern enterprise.
-
The cloud and cybersecurity are business problems
The first is to pledge that risks to the cloud and cybersecurity are addressed as a business problem, rather than a departmental problem. With CISOs being the guardians of sensitive customer information and business value delivery, they understand the importance of keeping data safe and secure, particularly in the light of today’s stringent personal data regulations. CISOs should then ensure that they are part of a core team looking at the organisational risk appetite, which can include aspects like loss of IP or customer information, as well as business operation disruption, and much more.
The CISO should regularly present the risk to organisational security in the business context. This means linking IT assets and their residual risk scores with their business importance. As opposed to examining new cybersecurity investments from the perspective of an annual investment or upgrade, CISOs should consider the trade-offs between the new investments versus the status quo, as part of a more strategic and organisational perspective.
-
CISOs should focus on control, not cost
Secondly, the focus needs to be on the controls, rather than on the cost. If the CISO is not able to effectively implement controls with regards to data segregation, data security and infrastructure security, then the cost of keeping the data in the cloud can become very expensive.
It is vital to incorporate the right set of controls into an organisation’s cloud deployments from the start. This will help to establish a sustainable monitoring mechanism, ensuring that cloud investments have a positive balance from a total cost of ownership perspective.
-
Don’t let governance become an afterthought
The third area for CISOs to focus on is making sure effective governance and reporting does not become an afterthought. It is important to keep business stakeholders informed on IT policies and controls from the start, especially those established as critical to business operations and cybersecurity.
An agile governance and reporting programme should be put into place to capture not only the organisational IT assets and ecosystem but also any cloud arrangements. This system should handle all risk and compliance reporting related-requirements and their correlation with the business operations, so it is easily accessible for business heads.
-
Have a business continuity plan is in place
CISOs should be able to guarantee that the business continuity plan is in place and ensure that it remains one of the main focuses for an organisation. Cyber-attack planning and the subsequent response is one of the biggest challenges for the CISO. Indeed, when a company relies on cloud-based infrastructure, the problem becomes even more complicated.
Having a clear incident response strategy and mass notification and tracking tools are just some of the features that will be highly critical when businesses ensure that disruptions are handled in a tightly coordinated manner. In order to achieve this goal, it is important for CISOs to understand the business context of the organisation.
-
Is cyber-insurance the answer?
Lastly, CISOs should ask themselves whether cyber-insurance might be the answer to the organisation’s risk exposure. Soon, compensation against cyber-attacks and the resulting loss of reputation, data and revenue is going to become a common trend for businesses. A CISO should proactively review the need and requirements of getting cyber insurance, and then counsel business stakeholders appropriately. This will be an important strategy to minimise possible financial losses from lawsuits, business disruptions and data breaches.
In today’s highly connected internet world, cloud-based IT ecosystems and cybersecurity are ever-growing in both social and business spheres. The CISO needs to keep the focus on sustained support from top management if they want to succeed in their cyber-fortification efforts and maintain an esteemed reputation for the organisation.
Crucially, CISOs need to broaden their prospects across the business context, financial aspects and wider strategic objectives to guarantee that the organisation’s data security is evolving in line and understood by the entire organisation. If digital enterprises want to continue to grow and innovate, CISOs should not be asking whether they are doing enough today but instead be more forward-thinking and look at whether they are doing enough to protect against what could happen tomorrow.
Vibhav Agarwal
AVP of Cyber Initiatives