Gaurav Singh, CISSP, CCSP, shares his views on how the rapid acceleration and adoption of digitalization is reshaping the role of a CISO.
Digital transformation is everywhere, whether it's disrupting your finance
department, supply chain, human resources, procurement or customer
relationship management (CRM), the list is enormous. Every enterprise and
its departments have either already completed a significant digital
transformation, are currently working on one, or plans to go on such a
journey soon.
This digitalization of business processes and operations and its underlying technology, application, and infrastructure has made the job of a Chief Information Security Officer (CISO) more complex and challenging. It has required many CISOs to pivot in their approach to security to ensure the digital ecosystems of their organizations remain secured and protected from bad actors and constant cyber threats.
Scope: No Longer About Just Protecting the Systems Within the Firewall
Critical systems are no longer within firewalls, and enterprises rely more on third party suppliers and cloud/SaaS-based systems to support their critical business processes. This digitalization of a company's assets and landscape has made the role of a CISO very complicated.
Digitalization across departments in an organization has changed and expanded the scope of work for many CISOs. It’s no longer just securing the network perimeter and traditional information security tasks. With digital transformation and more cloud and SaaS applications in play, the scope now includes working with third parties/vendors/suppliers to ensure due diligence/due care and organizational policies are being followed as well.
Complexity: Increased Threat Landscape
If data regulations across the world (GDPR, etc.) and other regulations that also cross into IT and security like Sarbanes-Oxley, PCI-DSS) and HIPAA were not enough, the increased complexity of infrastructure and systems are adding to the complexity of the threat landscape and forcing all departments to enforce operational policies with greater vigor.
This increasing complexity with every digital transformation step is not making the job of a CISO any easier. First, the business focus and priority are rarely security, but rather usability and functionality of the application, and with every new application being implemented, the complexity of the landscape is increasing, so the work of CISO and team is getting more difficult to both implement and secure buy-in for.
Collaboration: It’s All About Teamwork
Today, digital organizations need CISOs to not just focusing on technology but also on collaborative development of business processes, to ensure security to the core that considers the people and technology around them. Collaboration with enterprise risk management at this point becomes more critical as well.
We talked about digitalization across the organization, and how it's more critical than ever for CISOs to collaborate with business leaders and other stakeholders. Forming cross-functional teams across critical functions like supply chain and finance is essential. The CISO role needs a seat in any organization-related advisory board and is a key stakeholder including but not limited to cybersecurity for supply chain risk or even enterprise risk management. The working silos among cyber and business teams need to be broken and the CISO along with other leaders have the bulk of the responsibility now to make it happen.
AI: Here to Stay, and Challenging a CISO’s World
If the current threat landscape and complexity are not enough, with the advent of AI, especially generative AI like ChatGPT and Bard is creating another type of threat to organizations. These generative AIs are seen more as foes than friends by most CISOs, but AI is here to stay and more and more business users and leaders are looking to leverage them. CISOs need to accept the new generative AI world and work closely with stakeholders to approve and allow its use within clear boundaries and limits defined in an organization's acceptable use policy. Generative AI can also benefit the cyber team, and hence, CISOs need to investigate security use too, supporting the security team and their ability to respond.
Compliance with Regulations Worldwide: Think Local
A growing number of countries are developing local regulations, asking for compliance around any system/application/infrastructure that processes the data of their citizens and supports the operations of that country/region. The digitalization of business operations in each region is also sometimes dependent on this local compliance, resulting in different regional and local vendor onboarding, creating another challenge for CISO. Even with limited teams and support across regions, the CISO needs to make sure the organization not only remains protected and keeps PII data safe, but also needs to comply with these varying local regulations as well.
Users: Train Your Weakest Link
Business users want the latest SaaS-based applications that make their lives easier and help them perform business functions more efficiently. Whether it's the use of robotics process automation (RPA) or the often challenging bring your own device (BYOD), working remotely, or even the use of generative AI, the average user is not concerned about security, threats and attacks (ransomware, phishing, etc.). This makes the CISOs job more difficult to execute and maintain. The CISO and their team need to focus more on security awareness and training users on cybersecurity trends, issues and various threats, as different research and attacks have proved that humans are the weakest link in all digital transformations. More open/cloud/SaaS-based technologies and the increased threat landscape that comes with them makes keeping users cyber aware more important than ever.
Cyber Resiliency: Make Your Business-Critical Systems Resilient
With the digitalization of applications and landscape, it’s more critical to have cyber resilience than ever. It is never possible and not cost-effective to build resiliency into all the applications an organization has; hence, CISOs must work with businesses to identify critical business functions along with critical systems/applications/infrastructure and target those for redundancy and resiliency so that core and critical business functions can continue in case of cyber incidents or disaster. Cloud technologies have helped this greatly from an infrastructure and use of automation perspective. Still, the shared responsibility model and reliance on third parties have made it challenging to manage.
Continuous Monitoring: It’s All About Controls
Knowing your critical assets and having controls defined around them to ensure due diligence and due care are being maintained, along with continuously monitoring to identify any issues, incidents or fraud is also critical. With digital transformation projects and complex systems and landscapes, automating continuous control monitoring would be recommended, but it may not be as easy as it sounds.
Finally, building a cyber mindset across the organization is more critical than ever. The responsibility probably rests more with the CISO and their team than anyone else in the organization. Though the CISO would need support from other executive leaders, the CISO and their team must build relationships with stakeholders, including but not limited to enterprise risk management, internal and external audit, legal, HR, etc. so that any digitalization happening in the organization includes security by design and is both successful and protected as well, making it a win-win for the organization and the cyber team.
Gaurav Singh, CISSP, CCSP, is a cybersecurity leader currently working at Under Armour. He has over 18+ years of experience in IT security, specializing in ERP, cloud security, and GRC, protecting and leading enterprise digital transformation from a cyber perspective.