The Disconnect Between C-Suites and CISOs Endangering Aussie Organisations
- Written by Scott McKinnel, Country Manager ANZ at Tenable
Cybersecurity threats thrive in a climate of uncertainty. This makes it more important than ever for organisations to get ahead in identifying risk, particularly amid a global pandemic. However, a disconnect exists between the expectations of businesses and the realities facing security leaders, preventing organisations from taking an effective approach to managing and reducing cyber risk.
A recent study by Forrester, commissioned by Tenable, found that only three in 10 security leaders in Australia say they can confidently answer the question, “How secure, or at risk, are we?” — proof that a gap currently exists despite massive investments in cybersecurity. These findings suggest that CISOs are ill-equipped to provide a clear picture of their organisation’s cybersecurity posture in a way business leaders understand- narrowing the possibility of initiating a meaningful dialogue between security and business leaders.
Going forward, how can C-suite executives and CISOs collaborate to narrow the gap and ultimately secure their organisations from increasing threats?
The need to work towards a common goal
Over the past two years, there has been a dramatic increase in the number of business-impacting cyberattacks, with 73 per cent of Australian businesses reporting they’d fallen victim during this period. Of these, 39 per cent suffered damaging financial loss or theft, 39 per cent reported a loss of customer data and 36 per cent reported a loss of employee data. If business leaders weren’t already aware, this data reinforces the fact that cyber risk can have an enormous impact on the core functions of an organisation and cannot be solved in silos.
Encouragingly, the federal government, in announcing a $1.35bn cybersecurity investment, has demonstrated the strategic importance it is placing on the country’s cyber defence. This should signal private sector organisations to follow suit. Ultimately, it is only through a common, shared approach that business leaders and security experts can close the gap and reduce the risk of cyberattacks amid looming threats.
The impact of COVID-19
The current health pandemic has created unforeseen challenges for organisations around the globe and cybersecurity is no exception. Malicious cyber actors are actively targeting everyday consumers and Australian organisations with COVID-19 related scams and phishing emails, with experts predicting these incidents are likely to increase in frequency and severity over the coming months.
Security leaders must consider that many employees are now operating remotely and therefore should take into account new security risks that previously weren’t a major issue. In any scenario where corporate devices have left a secured network to operate in a potentially insecure home network, the attack surface expands.
The same Forrester study found that while 96 per cent of organisations globally had developed COVID-19 response strategies, only three-quarters reported their business and security efforts are only “somewhat” aligned, at best. This disconnect between business leaders and CISOs is going to be even more critical as uncertainty around COVID persists.
Closing the gap between business and security leaders
It’s tough for business and security leaders to be on the same page when they don’t speak the same language. Cybersecurity leaders can begin remedying this by ensuring their initiatives are reframed as business priorities. This can be done by communicating business value and ensuring their objectives align with business needs. Indeed, Forrester’s research found that fewer than 50% of security leaders are framing the impact of cybersecurity threats within the context of specific business risk. Moreover, only half (51%) say their security organisations work with business stakeholders to align cost, performance, and risk reduction objectives with business.
One of the key ways that security leaders can bridge this gap is through metrics that speak to business risk. Eighty-five percent of business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their more reactive and siloed peers. Another way is through internal and external benchmarking. Just as any company leader will evaluate financial performance versus their competitors, security leaders can become more business-aligned by clearly articulating expectations and demonstrating improvements versus peer companies and internal groups.
In turn, business leaders need to provide their security experts with the right combination of technology, data, processes and people to succeed. One of the most important ways to achieve this is through giving the CISO visibility of an entire company’s operations by elevating their role within the company, to ensure that security is baked into every business decision from the start. With complete visibility, security experts can take a holistic view of the company’s most critical assets, and make risk-based decisions to prioritise efforts.
Staying ahead of the curve
There are two languages being spoken. Business leaders want to know, ‘What’s the cause, what’s the headline, what’s the risk?’ The language barrier between business and security leaders is a chasm. When this is the case, how can Australian organisations realistically expect to guard against increasing cyber threats? By connecting the language and metrics of security and business leaders, and by empowering cyber leaders with complete visibility over assets, organisations can take an important first step to close this gap.