When COVID-19 hit, Siemens USA Chief Cybersecurity Officer Kurt John was ready.
Well before the pandemic, Siemens had been thinking about the future of work. That future included transitioning to a remote, widely distributed, secure workforce. So when the world began quarantining, John says, the shift proved less traumatic, and far more productive, than it was for a lot of other companies Siemens’ size.
“No one knew COVID was coming, so I can’t claim to have had any special foresight,” says John. “But the fact we were already thinking ahead, aligning to business priorities, and putting strong security mechanisms in place put us in a much better position when the world changed. We were fortunate.”
Like other companies that endured a spike in cyberattacks during the pandemic, Siemens experienced a roughly a 30% jump in phishing attempts last year. But its more than 385,000 employees were not heavily affected because of IT security’s preparedness. In fact, the global conglomerate saw a decrease in compromised systems in 2020.
It turns out, the same proved true for many other enterprises. Indeed, the jump in phishing and ransomware attacks did not directly lead to as many corresponding cyberbreaches as they could have. That’s because chief information officers (CISOs) did their jobs well.
The result: CISOs, whose teams other C-suite executives had considered mere “cost centers,” found themselves sitting across virtual tables from the same executives—delivering value and impacting business strategy.
In fact, 81% of CISOs surveyed early this year say they now report to a board of directors, compared to 69% pre-pandemic, according to security executive search firm Hitch Partners. By 2025, 40% of boards will have a dedicated cybersecurity committee, up from 10% today, made up in part of former CISOs, according to a recent Gartner estimation. The emphasis here should be on estimation.
This visibility is by no means permanent for CISOs. Indeed, as the world regains some semblance of normalcy, and as security leaders gather virtually for RSA Conference 2021, CISOs are asking what actions they need to take to remain relevant.
“When the pandemic started, I think it might have been the first time I’d ever seen security staff receiving major accolades from senior leadership and the rest of the company,” says Chris Hallenbeck, CISO for the Americas at Tanium. “Many people finally started to understand how cybersecurity can not only keep a company functioning but also accelerate its growth. To keep seats at the table after the pandemic, CISOs will need to keep demonstrating how their teams help drive business.”
To do this, CISOs emphasize three key strategies.
Align with strategic business outcomes
Alignment with what drives growth for the business hasn’t always been IT security’s strong suit. Like many other technologists, CISOs often become enamored with the latest and greatest technologies without fully considering how that tech might affect a company’s ability to operate and attract new customers. Microsoft, for instance, famously unleashed early versions of its Windows Vista operating system in 2008 with so many restrictive security features that analysts, partners, the media, and customers lambasted it and enterprise IT departments reportedly ignored it.
Roger Kay, president of analyst firm Endpoint Technologies Associates, says CISOs have a history of overinvesting in well-intentioned security technologies that create little value for the business. With new momentum and recent security budget hikes, it’s vital for CISOs to avoid repeating that mistake.
CISOs will need to keep demonstrating how their teams help drive business.
“When you make it to the decision-makers circle and get a hold of more budget, it can be human nature to go a bit wild,” Kay says. “CISOs can’t afford to do that. To keep a seat at the executive table, they have to tighten the reins and avoid spending money on things that really don’t matter to the business.”
That means focusing, instead, on business outcomes. These include lowering operational costs, achieving greater resilience, improving employee experience, and boosting operational efficiency.
It can also mean making security a selling point for the company’s products or services, accelerating its digital transformation efforts (rather than being the bottleneck to them), ensuring the organization doesn’t run afoul of regulatory compliance issues, and trendspotting security issues that could increase revenues.
Foster fruitful relationships
Chris Payne, CISO for the U.S. real estate website Zillow, believes in the importance of staying close to senior leaders and being able to explain technical security concepts in ways they’ll understand and appreciate. But, he notes, it’s very much a two-way street. CISOs must be able to articulate business priorities and direction to their technically minded teams in order to get them on the same page.
It’s also critical, he says, for CISOs to be in those conversations from the start and to cast a wide net in developing relationships, because security doesn’t exist in just one department. In fact, by 2024, 60% of CISOs will need to establish critical partnerships with key executives in sales, finance, and marketing, up from less than 20% today, according to Gartner. Those relationships will outweigh the ones on the tech side. Gartner found that top-performing CISOs regularly meet with three times as many non-IT stakeholders as they do IT stakeholders, according to a survey the firm conducted in early 2020.
“CISOs need to be able to explain to everyone that if IT security is involved from the beginning, it can provide the security posture and flexibility the business needs to more safely experiment with new technologies,” says Payne. “It can help build a robust foundation to protect assets and the crown jewels of the business while paving the way for companies to roll out new products and apps with minimal risk and at a much faster pace.”
Enable what’s next
Building that kind of secure foundation lets organizations enable possibilities rather than having to defend against threats after-the-fact. Kurt John from Siemens says that when preparing his company for the future of work, his team knew that would include more endpoints operating outside the network. So, they devised a balanced and nonrestrictive plan for protecting remote devices that eventually paid off.
“All the prework we did proved beneficial, because when quarantining began, we already had a process for continually deploying controls to endpoints, no matter where they might be located,” he says.
Building a secure foundation lets CISOs enable possibilities rather than having to defend against threats after-the-fact.
John says what set this effort apart from traditional approaches was that it wasn’t necessarily built around locking people out of anything or saying no. It didn’t completely revolve around protecting operations, revenues, or workers. Rather, it anticipated business priorities and put security measures in place to pave the way for them to come to fruition.
That’s where CISOs can show real value, John adds, by engaging with senior leadership to understand the strategic journey they’re taking the company on and walking in lockstep with them.
“There are a lot of disruptive technologies out there—like cloud, 5G, IoT and AI—that are going to impact businesses,” he says. “One of the biggest challenges CISOs are going to face is knowing how to get in lockstep with leaders on these things when they themselves are still trying to figure out how to leverage them.”
Even if the path isn’t clearly defined, CISOs should be able to explain the cyber implications of those technologies to senior leaders so they can make informed decisions.