« Rethinking cybersecurity governance. »
The figures show that the leaders are convinced that security is essential and that they have no intention of selling it off, but we can also see that they sometimes lack the maturity to cope with balancing investment decisions and change management priorities. For this reason, they may tend not to accept proposals made to them when they are not supported by a business case and explained convincingly in language they understand. It is therefore crucial that someone makes the connection between the business issue, the business risk and the underlying technology. This should be the role of the CISO, but in many companies, they subordinate to the CIO, who is then ultimately responsible for explaining why IT needs to invest in security. This type of reasoning is not necessarily a strong point of CIOs and it may compete with other IT resources and budget constraints. This is why it is fundamental to rethink the governance of cybersecurity. Separating IT and security roles eliminates such conflicts of interest. The CISO should then be able to directly obtain the necessary buy-in from the business and its executive management. Based on this commitment, the CISO can specify requirements to IT, which can then act as a service provider fulfilling a formal request. CISOs will have to argue by focusing on the notion of risk, which is known and accepted by top management, rather than the more vague and demobilizing notion of security gaps. In addition, the CISO needs to be in a position to put in place business related indicators that measure the level of cybersecurity risk. In the area of cybersecurity, there is a great lack of visibility. This is one of the main factors that blocks making the right decisions at the right time.
« The CISO must become a business enabler »
Attached to the CIO, the CISO is obstructed in his actions because, as the study shows, their priorities differ. The first seeks to secure his entire IT system and the second, the activity itself. However, the trend is for the business lines to bear responsibility for securing their developments. The CISO must, therefore, be able to communicate directly with the CIO, raise their awareness, guide them towards appropriate solutions and then justify their investment. Detached from the CIO, the CISO also moves beyond the traditional culture of reducing IT costs, enabling him to show that security is not a cost centre but a lever of value creation. The CISO must become a business facilitator and present as such. In order to do so, they must abandon their «cyber-centrism» and no longer think in terms of potential threats, but in terms of products and services and the associated risks. They are not required to be an expert in all technologies, but the CISO is the person in the organization who understands them and can connect them to business issues. To be convincing, he must be able to demonstrate that the suggested countermeasures will enable business risks to be controlled. Even if things are changing, we are still far from this scenario. In most cases, the CISO is caught up in operational urgency and does not have the means to implement the culture, tools and methods that would make security part of everyday life. They find themselves confined to the role of security guard and firefighter, where his vocation should be to help the company grow.
« A wall of incomprehension persists. »
The results of the study show that a wall of misunderstanding persists between cybersecurity professionals and business-line managers, many of whom still perceive security as a constraint. As a result, security is addressed without always attaching enough importance to it or seeing what it could bring in terms of speeding up, building trust and reducing «time to market», for example. Blame for this misunderstanding is shared. On the business side, while the cyber risk is now acknowledged, biases and prejudices remain, which prevent the right measures from being taken. And on the security side, we don’t always know how to promote the message and, because of the distance with the business, the stakes for the company are not always properly understood. To tackle this situation responsibly, everyone has to do their part. The key to facilitating collaboration and making it a natural process is to establish a risk metric that is clear, understandable and irrefutable for all. The right balance between risk and operational need can be found by weighing the risk and operational requirements: on the one hand, the contractor knows and assumes the risk he is taking in relation to the issues at stake; on the other hand, Security finds the most appropriate solution in terms of cost, protection and impact on operations. A solution which, in fact, is not necessarily complex. As in the business intelligence sector, cybersecurity is first and foremost a matter of simple precautions taken on a daily basis. It is a culture, a DNA, before being a technological subject.
Contacts
Renaud Templier
Cybersecurity Group Offer Director, renaud.templier@devoteam.com
Martin Esslinger
Partner, Devoteam. martin.esslinger@devoteam.com
Jørgen Papadopoulos
Partner, Devoteam. jorgen.papadopoulos@devoteam.com
Benoît Micaud
Partner, Devoteam. benoit.micaud@devoteam.com
