A great leader in some coaching session asked me, "When is the best time to plant a tree?", to which without analyzing the question too much I replied, "In winter!". He quickly corrected me: "10 years ago!".
It has been 6 months since the pandemic began and it has certainly changed the lives of all of us worldwide. They have been challenging months on the health, economic and social fronts, where we have had to adapt to the new normal. From the very first days, the phrase "It's time to reinvent ourselves" was positioned in different scenarios.
In this period of pandemic, we met as we have every decade since we met, with a group of cybersecurity leaders in Colombia, to analyze what is going to happen with our industry in the next 10 years. Our first meeting was held ten years ago, in 2010. In 2020, we dared to make new projections. In this opportunity I raised the risk of the loss of CISO leadership in organizations.
You may all wonder why I am concerned about the relevance of the CISO. And I want to explain it in 5 big mistakes:
- In the face of the threat we fix systems and not the business: Our role as cybersecurity leaders has been conceived as a technical function. But, in reality, this position has evolved and today focuses on transforming the reactive capability in the face of technical problems, implementing controls and technical tools to risk and uncertainty management, based on cost benefit.
- Our purpose in organizations is to create value in managerial spaces: we put a barrier and create disconnect by referring to the technical issue in the Board of Directors of the organization. We must understand expectations, be strategic and transform our technical cybersecurity language to business language.
For more than 15 years, I have been working on evidencing how security decisions impact a company's P&G, sharing my ideas to boards and positioning the CISO in a strategic way in these types of spaces.
Graph 1. Impact of security decisions on financial statements.
- Our portfolio of cybersecurity projects, is not being part of the business strategy: The generation of trust to customers becomes a strategic element. A common mistake of the cybersecurity role is not having a strategy aligned to the business. This failure, results in not integrating cybersecurity in the early stages of the development of new products or services.
- We make decisions based on perceptions and not data: The transformation of all industries has been supported under the "DataDriven" concept. Cybersecurity is no exception. Supporting our decisions on data becomes fundamental in senior management, therefore, the CISO must come to the steering committees with the security posture, KPIs and information that supports decision making and, additionally, continuous improvement of the operation and proper data-driven management.
- The apology for the lack of resources: The cybersecurity function is unbalanced. Not only on a day-to-day basis do we find that our function is evaluated, not for all the incidents that did not impact the organization, but for the few that really could not be managed. We also find that the resources allocated to cybersecurity are much smaller compared to the budget allocated to the technology area. That cannot be an excuse. Our role must be to look for alternatives and constantly improve our execution, analyzing cost-beneficial strategies in terms of management, control and operation of cybersecurity. Increasingly, automation and orchestration strategies are gaining momentum in this evolving aspect of our role.
The risk of loss of CISO positioning in organizations is very high. We need to develop skills and capabilities so that this vision of the future does not become a reality. As the great leader Julio Leonzo Alvarez (RIP) taught me, "It is better to start 10 years earlier!
Our projects and initiatives
We at A3Sec Group are working on an initiative aimed at generating knowledge and developing content for CISOS. We will soon launch a blog called "The CISO's diary" to share all these ideas and continue supporting the relevance of this position in organizations.
Additionally, we have created a discussion space with industry leaders to exchange points of view, solve doubts, expose opinions, etc., around the CISO role. Connect very soon to our first #CafeconCISOs!