The CISO role can be your competitive edge

Feb 10, 2020
The CISO role is relatively new and the competitive advantages it brings are beginning to become apparent, write Nicola O’Connor and Yousef Hazimee.

Cybersecurity is an ever-growing concern for all businesses and one that cannot be ignored. In larger organisations, the Chief Information Security Officer (CISO) is typically responsible for overseeing the security control environment and keeping things secure. However, this traditionalist view of the CISO does not consider opportunities for the CISO to create value for the business and turn their position into a leadership role that provides a competitive advantage for the organisation.

So how can a CISO successfully evolve their role given their existing commitments? And what must the organisation do to support them in this endeavour?

Business and leadership

All CISOs must have a thorough understanding of the organisation’s business and product lines, and overall business model. This is imperative as the CISO role typically spans the breadth of the organisation. Without this, the CISO cannot maximise value creation as they will not know what is considered truly valuable from a business perspective. This understanding can be achieved through experiential learning, multi-disciplinary work experience, and the establishment of cross-functional committees.

In addition to understanding the business, the CISO must ensure appropriate support from the C-suite and the board. This requires strong leadership and interpersonal skills to ensure that sufficient resources (financial and human capital) can be secured. The breadth of the CISO role, as well as regulatory guidance – most notably in the financial sector – means that cybersecurity is a board-level issue. This provides an excellent opportunity for the CISO to articulate their value through demonstrable delivery against cybersecurity objectives, showing how these align and support the broader organisational strategy, and how they protect the business.

The board must also empower the CISO by giving them opportunities to make board presentations and provide updates periodically. The board should challenge them and ensure that they are receiving meaningful cybersecurity metrics that inform their decision-making. These are imperative as quantitative metrics are easily consumable for board members and trends are more readily identifiable.

Strategy and risk

CISO activities should always align with organisational objectives. A cybersecurity strategy is therefore vital as it not only shifts the CISO role from that of a technical role to a strategic one, but also gives both the CISO and the board assurance that the CISO’s activities align to broader organisational objectives. The added benefit for the CISO is that a defined and approved strategy can help secure resources.

Another way to highlight the importance of cybersecurity in an organisational context is by embedding cyber risk as part of the wider IT and enterprise risk frameworks. This allows the CISO to frame cyber risk in a business context and ideally, identify services and dollar losses pertinent to individual cyber threats.

Framing cyber risk alongside other enterprise risks (such as regulatory and financial risk, for example) gives a more accurate reflection of the overall risk to the business and can inform decisions about prioritisation and investment. Fundamental to this is a clearly articulated, quantifiable and proactively managed risk appetite, which is necessary to support the decision-making process.

Product development

Building relationships and gaining knowledge of product lines and services allows for greater involvement of the CISO in product development. This embeds a ‘security by design’ culture, which allows for more seamless and appropriate security controls while exponentially reducing the costs and time to remediate defects as they are discovered earlier in the development cycle. This reduces the time to market and ensures a smoother customer/user experience while allowing for greater functionality on potentially less secure customer endpoints, such as mobile devices. This is particularly important for higher-risk apps, such as mobile banking. Greater CISO involvement earlier in the development lifecycle also allows for better use of emerging technologies in a secure manner.

Evolving the CISO role

CISO roles have traditionally been inward-facing but this is starting to change, particularly for CISOs in larger organisations. For example, clients now regularly look for evidence of suppliers’ adherence to security frameworks and standards, and these are generally considered a minimum for larger tenders. Other stakeholders such as rating agencies, insurers and pension trustees now seek assurances that appropriate cybersecurity controls are in place. By 2022, Gartner claims that cybersecurity ratings will become as important as credit ratings when assessing the risk of business relationships.

From a reputational perspective, the CISO benefits from the fact that cybersecurity affects almost everyone given the pervasiveness of social networks and people’s growing digital footprints. This gives rise to opportunities, through outreach and corporate social responsibility initiatives, to educate communities on how they can better protect themselves and their children online, which is especially important for digital natives who may not understand the scale and impact of their digital footprint. This can, in turn, create digital trust in your brand.

The CISO role is relatively new, and the competitive advantages it brings are beginning to become apparent. No longer is it the CISO’s sole responsibility to protect the business; they can also be a real differentiator between organisations as the impact of their role on an organisation’s bottom line becomes more evident. The most significant value creation will be achieved by those organisations that select the right CISO and empower them to deliver.

CISO: Creating a competitive edge

In a recent survey, security was considered the number one reason for selecting a bank among US participants. Meanwhile, in the UK, 85% of consumers claim that they will change their spending habits with brands that have been the subject of a security breach or hack. When factoring in growing compliance requirements, data growth rates and a global shortage of cybersecurity talent, it is not surprising that most Chief Information Security Officers (CISO) concentrate on their core role of protecting the business.

These CISOs, however, risk missing a valuable opportunity to become a real enabler and strategic driver for the business. Through a combination of active stakeholder management, goal alignment and ensuring a thorough understanding of business and product lines, a CISO can create demonstrable value and transform their role from one of pure risk management to one of strategic importance that can make decisions at the highest level of the organisation.

As a simple demonstration of how security can provide a competitive advantage, look no further than mobile banking. Security in mobile banking apps is of the utmost importance, but it can be seen to restrict the functionality and service offerings on these apps. Through new technologies and the application of security by design principles, robust and user-friendly controls can be used to safely introduce new, higher-risk functionality such as one-time payments and direct debit/standing order set-ups. This can allow banks to differentiate themselves from their competitors and gain market share. 

Nicola O’Connor is Chief Information Security and IT Risk Officer at AIB.

Yousef Hazimee is Cyber Security Practice Manager at AIB.