Of all functions, cybersecurity is still typically the youngest at the board table. However, aware of the need to mitigate a rapidly growing business risk, most organisations have not held back in propelling it quickly to a strategic level.
Aware of the need to consolidate these gains, security leaders met in Central London to discuss how their roles should continue to develop in the coming year to further embed themselves at a senior level. They quickly settled on a number of key points.
Cultural change agents
There was agreement that, in an ideal world, security acts less as a reactive function and more as an architect of a cultural shift. Risk mitigation should effectively become a behaviour expressed by employees in everything they do. Done correctly, this stops human-borne threats such as social engineering, but also puts security front of mind while building products or negotiating supplier relationships, for example.
Achieving this state, it was agreed, requires education across every area of the business. Security needs to be present outside of its silo – embedding itself in everything from the board table to individual users. Building a secure mindset is an iterative process requiring trust and reinforcement.
Part of achieving this transformation is making individual teams accountable for their own cyber risk. Those present agreed this is a necessary shift – as it reinforces the importance of secure behaviours. A number of approaches were suggested, such as asking those purchasing software to sign a contract accepting responsibility or getting them to make a case to a risk committee for approval.
One of the main factors driving cultural change is that it can only take root if it trickles down from the very top of the business.
To achieve this, executives must be engaged by their CISO and have faith in their judgement. Trust is borne out of transparency – security leaders agreed they earn the backing of the board only by being honest about the risks the company faces.
Engaging with them requires another skill – business storytelling. Threat data, incidents and metrics only mean anything when seen through the lens of cost impact – for example calculating the value of incidents avoided or quantifying how security is helping achieve better outcomes in contract negotiations.
Only then, will boards realise cybersecurity is more than just sunk cost. It is a function which enables the business.
The value of positive framing
The room also agreed that culture can become a self-sustaining cycle of security amongst the wider workforce if it is celebrated. By showcasing positive outcomes – and moving away from the stereotype of being a ‘negative department’ which enjoys blocking, restrictive policies and punitive actions – people are motivated to change behaviours.
The assembled audience acknowledged their passion for the job should set the tone for this step change in perception – which can be tactically reinforced by publishing success stories on internal communications channels. Raising profile in this way will also present a more human face to employees, encouraging them to open up about potential transgressions or ask for advice.
The importance of self protection
Running somewhat counter to the need for shared responsibility, CISOs agreed they also need to ensure they protect themselves in an environment of increasingly punitive regulators. The shadow of recent actions by the SEC in the recent Equifax case will hang long over 2024 for many.
Against this backdrop, it was agreed that it is more important than ever to document decision making to prove responsibilities have been discharged correctly. In addition, ensure honesty and integrity are present in all executive level discussions. Do not be pushed into shouldering a burden of risk that is uncomfortable. Those present also agreed on the importance of ensuring all decisions escalating up the tree are codified in bylaws and policies.
Ultimately, as realists, security leaders know much of this will manifest gradually over time – rather than being an immediate switch as soon as the calendar changes to 2024. More than any other facet of the job, CISOs acknowledge that, given it is the result of a multitude of behaviours, security culture takes time – but is worth waiting for.