Click here to view
techUK launches The CISO at the C-Suite report
techUK’s newly launched The CISO at the C-Suite report tackles the key question of how the Chief Information Security Officer role should engage at C-Suite and Board Level, leveraging influence to ensure cyber security is seen as an enabler of the rapid digital transformation that all organisations have seen throughout 2020.
As cyber security increasingly underpins and enables business growth across all sectors, and enables the Fourth Industrial Revolution to gather pace, the CISO function must seek to educate, garner and leverage support from the C-Suite and Board levels to drive change across their organisations.
"Boards drive the business agenda, so changing the narrative to Cyber Security as an enabler of everything the organisation does will filter down through the organisation. As we continue to see rapid digital transformation across all sectors, technology decisions are best examined with a view of the cyber security impact and driving competitive advantage. In the largest organisations the CISO function is at the heart of this."
Our report makes five recommendations to enable the CISO to add differentiated value and to create a strong foundation of cyber security knowledge across the business:
- The CISO must have visibility of the wider business and be empowered to drive change where it is needed. Cyber security is a strategic level priority in all organisations and cannot simply be ‘managed’.
- Transformative efforts must be placed in the right perspective: the CISO must agree the right timeframes for change, looking at longer-term transformation where necessary, beyond immediate tactical firefighting and quick wins.
- Clear reporting lines and responsibilities must be implemented from the outset. The C-Suite should set objectives indicative of the broader digital transformation that the organisation wants to see.
- The CISO function – irrespective of its reporting line – must have a clear, independent budget approved by the Board and commensurate to the transformation objectives set by the Board.
- The CISO must be able to communicate in Board-level terms, framing cyber security as a business enabler and identifying actions/initiatives in terms of business value rather than risk. This must extend to regulatory requirements and how they translate into planned initiatives. A consistent communication approach, with easily understood messaging and content, is important to build understanding and support.
Driving good cyber security practices into the wider organisation is a cultural change, and one that can be difficult to make across corporate silos. techUK’s report highlights the need for the CISO to foster collaborative relationships with the C-Suite and Board levels in order to support that change across the business. Cyber security is increasingly an enabler of all functions across all organisations because it allows growth by protecting the business: it is not simply a risk to be managed. The CISO must sit at the heart of an organisation, and the success of any individual in the role relies on them being suitably positioned, supported, and enabled.
However, enabling the CISO role is only the start of the journey. Our report argues that we still focus only on technical expertise and experience as being necessary traits for a CISO and, while this is important, it’s not the requirement and capability which will engage, lead and drive change across a business through the digital age.
This report is the first in the wider techUK Cyber People Series, which will be exploring how people can be the strongest element of the UK’s cyber defences. The aim of these reports is not to be prescriptive but to support organisations and stakeholders in making the right decisions, highlighting best practice across UK sectors, and sharing insight from industry leaders across a range of topics. This first document intentionally starts at the top of the tree in terms of cyber defenders – the role of the CISO, and the CISO function, in the largest organisations.
Future reports in this important series will examine the CISO function more broadly, including implications for medium and small businesses. The next one will explore what the role of the 2021 CISO function should look like, and how they can leverage the support detailed in The CISO at the C-Suite to accelerate transformation.
You can find the full report here.
Listen to The CISO at the C-Suite episode on the techUK podcast with report contributors Jean-Christophe Gaillard and Jason Tooley.