Cyber threats are among the top ten highest-rated critical risks of organizations today and for 2030, according to Protiviti’s Executive Perspectives on Top Risks for 2021 and 2030. The constantly changing risk environment requires companies to be agile in how they adapt and address cyber risks. CIOs and CTOs often transform business solutions to enable the business using tools such as artificial intelligence (AI) and Internet of Things (IoT). But with these tools comes new or increased cybersecurity and technology risks.
Moving off legacy platforms into more agile technology environments such as Microsoft Azure (and other cloud providers) enables organizations to safely benefit from the opportunities that such tools bring. When approached in a thoughtful and disciplined manner, organizations can accomplish their transformational objectives while, at the same time, taking notable steps to improve their security posture.
As organizations continue to modernize their technology platforms, key cybersecurity disciplines and approaches need to be considered. CIOs should:
- Build resilience into the foundation of the cybersecurity program
- Implement new approaches and technology architectures that will be needed to securely enable the business
- Respond to adversarial events with visibility, speed and agility
- Collaborate with C-suite leaders and provide education where necessary to garner understanding and support
New approaches to data protection
One of the key technology shifts that has shaped cybersecurity programs is the move to cloud (i.e., XaaS)
, drastically impacting the efficacy of traditional cybersecurity technologies and forcing organizations to evolve and update their cybersecurity architectures. It also has led to a de-emphasis of perimeter-based controls wrapped around the corporate network as the focus shifts more to identity and data-centric approaches. Capabilities such as micro-segmentation, Secure Access Services Edge (SASE) and software-defined perimeters are now needed to securely enable employees and conduct business with customers. While endpoint devices such as laptops and mobile devices will play a role in organizations for a long time to come, these new architectures are required to extend traditional controls out and away from the protection of corporate networks to any location around the world.
Resilience as a foundation
When no longer constrained by legacy platforms and outdated technologies, organizations can leverage a variety of new and evolving technologies like the cloud to significantly decrease the likelihood of a sustained outage with business impact. From high availability architectures to enhanced workload and service management, CIOs must take a thoughtful and intentional approach to capitalize on the opportunity and build resiliency into the go-forward architecture. Speed, funding and pandemic-supporting operations, however, are preventing these changes from happening quickly. It is also important to note that some areas of a business, such as assembly lines (some of which are FDA certified) are unable to legally move quickly to adopt cloud and replace legacy applications.
Visibility, speed and agility
One aspect that many cybersecurity practitioners tend to agree on is that experiencing a security incident is not a matter of “if,” but “when.” Zero trust architecture as a security model has started to catch on because one of its core philosophies is to always assume that adversaries are in an organization’s environment. This significant mind shift not only impacts how a program is designed, but where and how budget is applied. An “assume breach” philosophy pushes an organization to turn from heavy investment in preventative controls to a more balanced portfolio that includes an emphasis on visibility and response.
Organizations can minimize cyber risk exposure and incident impact to business operations through enhanced monitoring, detecting and response capabilities that feed an organization’s agility and speed, support resiliency, and potentially reduce adversary dwell time.
Engaging with the C-suite
All C-suite members must understand their roles in the company’s cybersecurity risks and ensure appropriate cybersecurity oversight in their respective operations and transformation projects. CIOs who collaborate with their executive counterparts recognize that while CIOs drive many cybersecurity decisions, joining forces with the rest of the organization’s leadership team helps solidify technology implementation and change management while boosting ROI. Each C-suite member is uniquely impacted by cyber technology:
Chief Information Security Officer (CISO) – There is a significant reliance on IT and cybersecurity working closely together to monitor, detect and respond to cyber incidents. As large-scale attacks progress and elevate risk profiles, it is imperative that CIOs prioritize cybersecurity in step with CISOs.
Chief Risk Officer (CRO) – Difficult investment decisions are made by CFOs. CROs must help uphold the ROI on such decisions by placing IT and security risk on a par with other enterprise risks.
Chief Audit Executive (CAE) – To the extent cybersecurity impacts internal controls, auditors must have the proper training to audit controls in a cloud environment.
Chief Marketing Officer (CMO) – CMOs must be well-positioned to produce a secure enablement of the customer journey, including securing customer identity and access management (CIAM).
Business Leaders – To build resilient businesses, leaders must take an active role in enabling IT with a strong understanding of business goals and services. Accordingly, business leaders must help contribute to recovery from adverse cybersecurity incidents.
Employees – Employee buy-in through proper training and change management strategies is instrumental to cybersecurity transformation and modernization projects.
Where do companies go from here?
Cybersecurity demands agility and resilience. As organizations move through their enterprise transformation journeys, it is important that they consider the following issues to optimize ROI:
- Proper cyber ‘hygiene’ is foundational to managing security risks and maintaining resilience of business services.
- Organizations should have a clear maturity assessment of their current cybersecurity protection, with the target maturity level agreed on by both the CIO/CISO and top executives or the board. This will allow the CIO/CISO to plan for future improvement.
- Companies must mitigate cybersecurity risk without slowing down enterprise transformation and should search for opportunities to boost enterprise value with novel tools such as Greenfield cloud environments.
- CIOs and CISOs should evaluate the extent of cybersecurity implementations with an eye on enterprise transformation, carefully determining the measures required for minimally viable products or services and adding greater cybersecurity complexity where needed.
- With cyber threats expected to be among the top ten risks for organizations across the next decade, CIOs must ensure that their organizations have effective cybersecurity programming to mitigate risk and protect their company’s valuable assets during and after digital transformation.
Learn more about Protiviti’s Cybersecurity Services.
Connect with the authors:
Managing Director, Security & Privacy
Managing Director, Security & Privacy
Managing Director, Digital Transformation