Security Think Tank: Reframing CISO-boardroom relations
Emma Bickerstaffe is a Principal Research Analyst with the Information Security Forum (ISF).
The year 2021 was touted as a time to step back and review decisions that organisations had made in haste at a time of crisis that materially impacted their risk profile.
The events of 2020 saw a major upheaval in the business landscape around the globe, placing high expectations on information security teams to protect organisations’ information, while enabling a disorientated remote workforce to continue business operations securely.
To accommodate new business requirements, digital transformation plans were accelerated, new technologies were adopted with minimal due diligence, and temporary measures were put in place to limit disruption to the supply chain. It was inevitable that the speed of those changes would introduce opportunity for risk.
Ideally, organisations would have moved from responding and adjusting to the global pandemic, to a new era of resuming “normal” operations that would allow business to get back in control and look to the future. But disruption did not wane as governments worldwide continued to yo-yo between lockdowns, partial lockdowns and easing of restrictions, cementing hybrid working as a permanent fixture – perhaps the only certainty for chief information security officers (CISOs) and their teams.
This serves to highlight a lesson for risk and security practitioners – the speed of digital business, coupled with an uncertain world, means we can never truly be in complete control of risk. We must continue to rethink how we work with business to maintain information risk within acceptable, but dynamically changing, levels of tolerance.
Information security practitioners need to be nimble, conciliatory and creative to keep pace with the rate of digital transformation, business innovation and the constant flux in working arrangements. Planning for normality is futile – expecting the unknown will enable both parties to deliver a rapid response that is more informed and assured.
For many CISOs, the pandemic meant they suddenly had the ear of the board and secured long-awaited investment to implement high-priority initiatives that met business demands. As threats morph, regulatory requirements tighten and attackers become more stealthy in their tactics, ongoing management of this business relationship is vital.