The UK government’s recent investigation into the total cost of cybercrime put into concrete terms a concern that will come as no surprise to many IT teams. The investigation observed that malicious cyber attacks now cost the UK economy an eye-watering £27bn per year.
Although staggering, acknowledging the sheer scale of the problem may come as a relief to many put-upon security teams that feel they are under 24-hour siege.
Businesses are starting to embrace an all-hands-on-deck approach. Just as a house with a locked front door is never safe while a window is left open, a CISO can only keep an organisation safe and maintain the digital trust of consumers if all staff are involved in creating a ring of steel against cyber threats.
“Involving all staff will establish a more diverse and effective circle of protection,” states Tony Hughes, director of cybersecurity consulting at ANSEC and ISACA member. “Any organisation needs lots of people who don’t think like each other to identify different risks and settle them as quickly as possible.”
Deploying a holistic security posture across departments requires a company-wide commitment. But despite their pivotal position, many CISOs do not feel empowered to lead collaborative defences. In a recent survey of 2,755 global business and IT professionals, ISACA found that only half felt there was sufficient collaboration at their organisation to promote digital trust.
With the accelerated pace of hyperconnected business, organisations face new considerations for establishing and sustaining digital trust and transformation - but one won’t happen without the other. IT leaders acknowledge this as 76% agree that digital trust is important to digital transformation.
Working more openly can help CISOs plug substantial gaps across teams. Most business-critical problems, even technical ones, have a significant human component which can only be mitigated by making staff themselves more resilient against an attack.
Before the pandemic, security leaders largely oversaw how businesses utilised technologies to operate more than the people behind those operations. “Sweeping change has come about because people need the relevant skills and training to run technologies securely and effectively,” says Ramses Gallego, CTO at CyberRes and ISACA member. “People who are empowered to do so will become cybersecurity advocates and encourage other employees to take on relevant training to avoid disruption and set the business up for success.”
Historically, CISOs have relied upon their developer or engineering backgrounds, focusing extensively on the technical side of security. But strategically speaking, modern security leaders have more to bring to the table. “In today’s complex economy, with digital trust making or breaking an enterprise, CISOs need to bring not only technical expertise but also strong business acumen and the ability to clearly communicate risk to the board and C-suite,” says Chris Dimitriadis, chief global strategy officer at ISACA. “Today’s CISOs must view themselves as a key business enabler that, by aligning security strategy with enterprise goals, helps to make security a driving force of the enterprise’s ongoing pursuit of digital trust.”
On top of fighting cyber apathy, reduced budgets and changing business priorities, CISOs must seek support from other areas of the business. Bringing in risk-aware departments and engaging the entire width of the C-suite can foster cyber resilience across departments regardless of technological know-how, says Allan Boardman, founder of CyberAdvisor.London and ISACA member.
“Any department that holds employee or consumer data is at risk,” says Boardman. “As a first priority, businesses need to get the fundamentals right and encourage all employees – whether they work in HR, operations, or marketing – to sign up to good security practices, so they know what to look out for, what to avoid, and how to report any unusual activity.”
Getting an entire organisation rowing in the same direction is a challenge for the ages. In order to rise to the occasion, the CISO must be at the forefront of change. The hard work on mitigating cyber risk must extend beyond the IT and security teams to permeate every facet and function of the organisation at every level.
To learn more, visit isaca.org/digital-trust