Cyber threats are increasing in volume and complexity. To be ahead of the game, CISOs need to continuously review their cybersecurity processes and practices to ensure that adequate and effective systems are in place.\nFaisal Yahya, CISO and CIO with more than 20 years of experience in cybersecurity, gives CIO ASEAN five tips for fellow CISOs on how to create a safer business environment. \u00a0\u00a0\n1. Invest in threat intelligence programmes\nThreat intelligence is information that organisations gather to understand existing or potential hazards targeting business assets or valuable resources. This intelligence is used to identify, prevent and respond to these threats through informed decisions.\nIn the IT context, cyber threat intelligence (CTI) \u00a0is a collection of information that is gathered from sources that can be human, digital, internal and external to an organisation. This information is typically processed through some type of evaluation to verify its validity and is used to provide context about the conditions necessary for a threat to exploit a vulnerability, and if the threat is being used by threat actors.\nAlthough mainly focused on the IT aspects of an organisation, CTI also extends into other applications which aren\u2019t necessarily IT assets but still impact an organisation, such as intellectual property or brand reputation.\nA threat intelligence programme gathers information to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources in a firm.\n\u201cHaving a threat intelligence programme can save CISOs a lot of time by proactively identifying and continuously monitoring the risk before it becomes an attack,\u201d says Faisal Yahya. \u201cIf necessary, increase your investment in improving cyber threat intelligence and analytics. This will help your organisation aligning the cybersecurity investment as close as possible with the current threat faced by your business.\u201d\nWhen implemented correctly, a threat intelligence programme can help CISOs stay up to date with security threats, including methods, targets and vulnerabilities. It can also assist security executives in being more proactive about future threats \u2013 and to keep leaders, stakeholders and users informed about the impact they could have on the business.\n2. Integrate IT security and business risk management\nCybersecurity is not an isolated aspect of an organisation. Its impact goes beyond IT and can have serious legal and public relations implications. IT security, then, should not be detached from the wider business risk management strategy.\n\u201cIT security no longer works effectively in silos, it needs to be part of the organisation\u2019s risk-based approach,\u201d advises Yahya. \u201cEvery organisation that is willing to grow, streamline and innovate must integrate its current IT security into leadership and business decisions to keep pace with the continuous evolution of attack vectors.\u201d\nThe potential damage of a data breach is a risk that not only concerns IT security but that also affects other business areas, including brand reputation and customer loyalty.\nData is a valuable enterprise asset that requires organisations to abide by data privacy legislation, resulting in an increased risk management. CISOs and CIOs need to promote IT governance, including data security, as a way to guarantee that the IT strategy aligns and supports the business\u2019 overall goals.\nIn 2017, ISACA, a global association for information and technology audit, risk, governance and security professionals, surveyed more than 732 leaders from around the world and found that the governance of technology is now a board-level priority. Nearly all of the survey respondents agreed that strong IT governance is essential to strong business performance.\nThe same study found that 92% of respondents believe that better IT governance results in better economic outcomes while 89% believe it leads to more business agility.\n3. Ensure fluid C-suite communication\nA 2018 report by Accenture found that a lack of collaboration at the C-suite level is jeopardising cybersecurity in the enterprise.\nOnly 40% of the CISOs surveyed said that they always confer with business-unit managers to understand the business before proposing a security approach, pointing at a shortage of ongoing communication and lack of trust.\n\u201cA better engagement between CEOs, board members, and CISOs or CIOs will result in a fine-tuned and effective cyber risk mitigation strategy,\u201d Yahya tells CIO ASEAN. \u201cThis engagement is the key to moving from directly risk identification and fixes into defining business impacts, governance methods, risks escalation steps and entire organisation response (impact on reputation, company culture, and profitability) \u2013 a holistic cybersecurity strategy at its best.\u201d\nCISOs and CIOs need to work with their C-suite colleagues and board directors to bring governance practices into the digital age. Now that boards are accepting that cyber risk management and regulations require their oversight as much as any other business risk, the time couldn\u2019t be more favourable to strengthen communication at the senior levels.\n4. Manage third-party risks\nIt\u2019s not rare to see organisations today outsourcing many of their core business functions to third parties and other vendors. These third parties and vendors often have access to sensitive data and internal systems \u2013 an inherent risk that CISOs should take into account when partnering with external providers.\nOnce access is given to third parties, threat factors also have an additional route to access your network. That\u2019s why it\u2019s vital to ensure that your contractors and third parties take cybersecurity seriously, and that there\u2019s coordination with risk management in the case of an attack.\nA survey by Soha Systems showed that third-party access is not a priority for IT and security C-level executives, yet it is a major source of data breaches.\nWhile third parties cause or are implicated in 63% of all data breaches, a disproportionately small 2% percent of respondents consider third-party access their top priority in terms of IT initiatives and budget allocation.\n\u201cIT vendors and third-party partners can introduce security flaws into organisations,\u201d says Yahya. \u201cBusiness and cybersecurity leaders must manage these risks to use the same standard as being implemented within the organisation.\u201d\nFirms should take a risk-based approach to managing third parties. The first step to manage these risks is creating a risk assessment, which takes us back to the step of an integrated IT and business risk management strategy. CISOs and CIOs should only use third parties that they feel comfortable working with and have the evidence to prove that they share similarly robust cybersecurity standards.\n5. Gamify cybersecurity training\u00a0\nYahya\u2019s last tip for ensuring a cyber-secure work space is gamification.\nGamification is the process of introducing games, including competition and reward mechanisms, into a non-game context to boost engagement and foster communication. Businesses are using it today to improve work practices, including in cybersecurity and data privacy training.\n\u201c[Through gamification] all stakeholders are taking part in the way of securing organisation cybersecurity in the long run,\u201d says Yahya. \u201cThis will also ease the business to plan and monitor any potential attacks against company cybersecurity systems.\u201d\nSome of the benefits of gamification include the ability to engage users and retain talent. Using elements of game-playing, CISOs can educate staff to be more cyber-aware. \u00a0Some games are complex, with levels to pass and points to earn. But it can also be as simple as sending out \u201ctest\u201d phishing emails and rewarding staff for not opening them.\nIn short, gamification is making cybersecurity training as easy and accessible as possible to workers. Through interactive and engaging games, CISOs can ensure that colleagues keep up with ongoing cyber threats without having to share long, technical presentations which otherwise would probably fall on deaf ears.